Hello,
Am Freitag, 3. September 2021, 10:01:47 CEST schrieb
intrig...@debian.org:
> "include if exists" is well supported in AppArmor 3.x,
> so we could stop creating /etc/apparmor.d/local/$profile
> local include files.
>
> I don't think we can do that by default though: if we did, it would
> break loading newly installed profiles that still use #include.
Interestingly I received a similar proposal for openSUSE and will
probably stop shipping the local/* sniplets with the 3.1 release.
(Handling / cleaning up existing local/* files without getting modified
files moved away is an interesting[tm] packaging exercise. I'm not sure
how much the handling of that can be shared betwen RPM and DEB packages,
but we should at least try to avoid duplicate work.)
This also leads to the questiion if upstream AppArmor should by default
stop generating the local/* sniplets in profiles/Makefile. Since all
profiles shipped with the upstream tarball use "include if exists", that
wouldn't break anything.
Anyway - back to the original topic ;-)
I see two possible options:
- add an option to dh_apparmor to not create the local/ sniplet
(disadvantage: needs adjustments in all packages that don't want the
local/ file; advantage: no "surprising" behaviour change)
- make dh_apparmor a bit more intelligent and grep the profile for the
local include. If it finds "include " it should
create the local/ file, but if it finds "include if exists " it could stop creating that file. Or, to make it more
error-proof, create the local/ file if it doesn't find
"include if exists ". [Note: I don't know the current
dh_apparmor code.]
(advantage: no need to adjust any package; disadvantage: applying grep
magic to the real world is sometimes not as easy as it looks)
BTW: If you want to use grep, you can steal the grep regex from the
upstream profiles/Makefile (in the "local:" target).
Regards,
Christian Boltz
--
A bug a day keeps the doctor away - ke 2006
[bugzilla.novell.com quips]
signature.asc
Description: This is a digitally signed message part.