On Wed, Mar 06, 2024 at 08:34:59AM +0100, Mikhail Morfikov wrote: > Take a look for example at the thunderbird email client package. They ship > the apparmor profile for the app in the thunderbird package (I also asked them > to do the move, but no one cared, see #949649 from 23 Jan 2020 -- no one ever > answered).
That bug report looks identical to the one you've filed against libvirt, so it doesn't provide any additional information. > So I use thunderbird and I have my own separate profile for this app because > I have different rules, aiming different security policy. Each time the > thunderbird package is updated, the apparmor profile is also installed, and > I have no option to forbid that. So the apparmor policy is rewritten, which > requires me to manually remove the newly installed thunderbird profile (the > physical file), remove non exising profiles from apparmor (aa-remove-unknown), > reload my own profile, update initramfs (since I load the apparmor policy > during > initramfs phase). That does indeed sound very annoying. I wonder why you have to go through that whole process though. The AppArmor configuration is in /etc, so everything is marked as conffiles. If you make local customizations, shouldn't you at worst be prompted to confirm whether you want your changes to be preserved or overwritten? > Most of people don't even use apparmor, so they don't care whether the > profile is > in the core package, or in some app-apparmor-profile package. I don't think this is a fair assessment: AppArmor is enabled by default in Debian and has been for several releases, so people *are* in fact using AppArmor unless they go out of their way to disable it. > The all issues/problems call for a separate apparmor profile packages, but > someone > has to make that move first, so others would follow. 4 years has passed and > no one > did this, because no one care, and no one really use apparmor. And I bet no > one will > make that first step and in the next 4 years the problems will still persist. Have you raised the topic on a project-wide forum, such as debian-devel? That would IMO be the best way forward. Convince the project that AppArmor profiles should be packaged separately, and make that into a (mini-)policy that is officially adopted. Opening bug reports against individual packages when no project-wide consensus has been reached is unlikely to result in much progress. -- Andrea Bolognani <e...@kiyuko.org> Resistance is futile, you will be garbage collected.
signature.asc
Description: PGP signature
