[pkg-apparmor] Bug#879585: apparmor: Pin the AppArmor feature set in Stretch to Linux 4.9's

Fabian Grünbichler f.gruenbichler at proxmox.com
Tue Dec 5 11:11:03 UTC 2017 

On Tue, Dec 05, 2017 at 11:37:51AM +0100, intrigeri wrote:
> Hi Fabian!
> 
> Fabian Grünbichler:
> > is there a particular reason for not putting this into the (included by
> > default) /usr/share/apparmor, but into parser.conf directly?
> 
> Does "this" refers to the features file itself or to the
> features-file= directive?

I meant the directive. in the meantime I looked at the AA code and
realized that what I mistook for config snippet inclusion was just a way
to set the search path for #include statements in profiles :-/

I am not sure whether the features file itself would really need to be a
conf file though, if it is already pointed to by a conf file directive?
putting the features file itself somewhere into /usr/share would at
least allow a sane divertion without having to touch the parser.conf as
an alternative solution to the one described below?

modifications by the admin would still be easy (just point to a modified
copy of the features file), and modification by downstreams would be a
lot easier (just divert the features file) than currently..

> 
> What do you mean with /usr/share/apparmor being "included by default"?
> I wonder if there's a misunderstanding here.

see above, there was ;)

> 
> > this makes life of admins / downstreams using a newer kernel / policy /
> > feature set unnecessarily harder, as there is no way to override this
> > features-file config directive now besides
> 
> > - messing with an apparmor-owned config file (possible for an admin, not
> >   really an option for a derivative/downstream)
> > - re-building the apparmor package (lots of effort for overriding a
> >   single config line)
> 
> Understood. Ideally parser.conf would be complemented by
> /etc/apparmor/parser.conf.d/*.conf, which could be sourced at the end
> of parser.conf somehow. And then we can ship the default parser.conf
> in /usr. TTBOMK we have no way to source such additional config
> drop-in snippets though. I suspect upstream would be happy to consider
> patches that add this feature :)

yes, that would have been nice. alas, there is no such thing now, and
getting one in time for the upcoming point release is not really an
option.. maybe in time for buster?

> 
> > putting it into /usr/share/apparmor would allow drop-in replacement by
> > other packages and have the same net effect on stock Debian systems, at
> > least if I understood the terse parser.conf comments and apparmor_parser
> > man page correctly ;)
> 
> I see. Now, local admins may want to modify their parser
> configuration, and the only way we currently have to allow them to do
> it is to ship parser.conf as a conffile in /etc.

I know how conffiles work, and I am not advocating to make parser.conf a
regular file :P

> 
> If we had this drop-in snippet support for complementing the default
> parser.conf, then both your use case and that one would be supported
> nicely, right?

yes.

> 
> > (thanks a lot for working hard on getting AA to work OOTB in Debian BTW
> > - long overdue and really looking forward to it!)
> 
> Thank you :)
> 
> Cheers,
> -- 
> intrigeri
>

More information about the pkg-apparmor-team mailing list