[pkg-apparmor] Bug#879585: apparmor: Pin the AppArmor feature set in Stretch to Linux 4.9's

[intrigeri]

Hi,

Fabian Grünbichler:
> I am not sure whether the features file itself would really need to be a
> conf file though, if it is already pointed to by a conf file directive?
> putting the features file itself somewhere into /usr/share would at
> least allow a sane divertion without having to touch the parser.conf as
> an alternative solution to the one described below?

> modifications by the admin would still be easy (just point to a modified
> copy of the features file), and modification by downstreams would be a
> lot easier (just divert the features file) than currently..

Right. This looks like a good interim solution to me. Do you want to
try to implement it in the packaging?

> intrigeri:
>> Understood. Ideally parser.conf would be complemented by
>> /etc/apparmor/parser.conf.d/*.conf, which could be sourced at the end
>> of parser.conf somehow. And then we can ship the default parser.conf
>> in /usr. TTBOMK we have no way to source such additional config
>> drop-in snippets though. I suspect upstream would be happy to consider
>> patches that add this feature :)

> yes, that would have been nice. alas, there is no such thing now, and
> getting one in time for the upcoming point release is not really an
> option.. maybe in time for buster?

>> If we had this drop-in snippet support for complementing the default
>> parser.conf, then both your use case and that one would be supported
>> nicely, right?

> yes.

Would you be willing to work on such a feature upstream so downstreams
& derivatives have a cleaner (than diversion) way to address
this problem?

Either way, can you please file a dedicated bug report so we track
this issue elsewhere than on a bug that's going to be closed in
a few days?

Cheers,
-- 
intrigeri