[pkg-apparmor] Bug#993568: dh-apparmor: Allow opting-out from creating local include

Christian Boltz debian-bugs at cboltz.de
Sat Sep 4 21:33:04 BST 2021 

Hello,

Am Freitag, 3. September 2021, 10:01:47 CEST schrieb 
intrigeri at debian.org:
> "include if exists" is well supported in AppArmor 3.x,
> so we could stop creating /etc/apparmor.d/local/$profile
> local include files.
> 
> I don't think we can do that by default though: if we did, it would
> break loading newly installed profiles that still use #include.

Interestingly I received a similar proposal for openSUSE and will 
probably stop shipping the local/* sniplets with the 3.1 release.
(Handling / cleaning up existing local/* files without getting modified 
files moved away is an interesting[tm] packaging exercise. I'm not sure 
how much the handling of that can be shared betwen RPM and DEB packages, 
but we should at least try to avoid duplicate work.)

This also leads to the questiion if upstream AppArmor should by default 
stop generating the local/* sniplets in profiles/Makefile. Since all 
profiles shipped with the upstream tarball use "include if exists", that 
wouldn't break anything.

Anyway - back to the original topic ;-)

I see two possible options:

- add an option to dh_apparmor to not create the local/ sniplet
  (disadvantage: needs adjustments in all packages that don't want the 
  local/ file; advantage: no "surprising" behaviour change)

- make dh_apparmor a bit more intelligent and grep the profile for the 
  local include. If it finds "include <local/$filename>" it should 
  create the local/ file, but if it finds "include if exists <local/
  $filename>" it could stop creating that file. Or, to make it more 
  error-proof, create the local/ file if it doesn't find 
  "include if exists <local/$filename>". [Note: I don't know the current
  dh_apparmor code.]
  (advantage: no need to adjust any package; disadvantage: applying grep 
  magic to the real world is sometimes not as easy as it looks)

BTW: If you want to use grep, you can steal the grep regex from the 
upstream profiles/Makefile (in the "local:" target).


Regards,

Christian Boltz
-- 
A bug a day keeps the doctor away - ke 2006
[bugzilla.novell.com quips]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://alioth-lists.debian.net/pipermail/pkg-apparmor-team/attachments/20210904/55c54f6a/attachment-0001.sig>

More information about the pkg-apparmor-team mailing list