Hi, In the next few days, if all goes according to plan, I'll upload rsyslogd to lunar with a change[1] to the way its apparmor profile is applied.
The confinement status won't be changed during upgrades, but fresh installs will have the apparmor profile enforced by default. Up until now, it's been disabled. A summary is in the README.apparmor[2] file, and d/NEWS was also updated/created. I tried a mix of fixed and dynamic profile snippets, and packages can install their own snippets if needed. These would usually be packages that alter the rsyslog configuration to log somewhere else where the normal apparmor profile would have denied that, but at the same time we don't want to allow that by default if it's not needed. There are a few more use cases I would like to tackle, including more test cases, and the `omprog` plugin is an obvious one. This is not yet covered, and I hope to get more data about its usage before coming up with a solution. It's hard to try to detect its usage in the config file because the config can be in so many different formats. Maybe we can come up with generic sandbox of some sort for binaries used with the omprog plugin, or maybe we will just have to leave users to adjust that via the existing /etc/apparmor.d/local/usr.sbin.rsyslogd mechanism. This adds a lot of delta to the package, at least in line count, but I don't think it's hard to maintain. I'll also of course try to submit this to debian, once we settled on the approach in lunar. 1. https://code.launchpad.net/~ahasenack/ubuntu/+source/rsyslog/+git/rsyslog/+merge/436955 2. https://git.launchpad.net/~ahasenack/ubuntu/+source/rsyslog/tree/debian/README.apparmor?h=lunar-rsyslog-enable-apparmor-dep8-take4-dot-d -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel