ApparmorProfileMigration
AppArmor profiles in Ubuntu can come from 1 of 3 places:
- a package which provides its own profile (eg cupsys)
- the apparmor-profiles package from universe
- the user (eg either manually generated or downloaded from the internet)
This document deals with moving profiles from apparmor-profiles into package providing its own profile, while being careful not to destroy user generated profiles.
Life of a Profile
A profile can either be hand-generated or come from upstream's AppArmor sources. In either case, if it is well-made and general enough, it is put in the apparmor-profiles package for wider testing. To add a profile to apparmor-profiles, you can [https://launchpad.net/ubuntu/+filebug file a bug against apparmor]. Profiles in apparmor-profiles should come installed in 'complain mode', and should also be a conffile. Once the profile has received wider testing and deemed appropriate for general use, it can migrate from apparmor-profiles to the package providing its own profile. Once the profile has migrated to this package, the profile should be in 'enforce mode'. Profile migration should occur in the development release of Ubuntu, and migrated profiles are generally not appropriate for StableReleaseUpdates.
Migration Steps
Migrating a profile involves updating both apparmor-profiles and the package that will have the profile.
Updating apparmor-profiles
Ubuntu's keeps its AppArmor configuration in a bzr tree in Launchpad. To update apparmor-profiles:
checkout the 'ubuntu' branch of apparmor:
bzr branch http://bazaar.launchpad.net/~ubuntu-core-dev/apparmor/ubuntu
remove the profile for bzr:
cd ubuntu bzr rm profiles/apparmor.d/<profile>
- bump the changelog version and make an appropriate note using 'dch', making note of this new version
commit and push the changes to the bzr branch if you have write access, otherwise, create a patch with:
bzr commit -m "Removed profile foo" bzr diff -p1 > apparmor-profiles.patch
You can now [https://launchpad.net/ubuntu/+filebug file a bug against apparmor] and attach apparmor-profiles.patch to the bug.
Updating the package
Updating the package providing the profile requires several steps, and will require tailoring for the specific package. In general, the steps to migrate the profile into this package is:
update debian/control to use a Conflicts and Replaces on versions of apparmor-profiles earlier than the one you just updated, above. For example, if the newly updated apparmor-profiles is version '2.1+1075-0ubuntu4', then debian/control should have these entries in the binary package section that will provide the profile:
Conflicts: apparmor-profiles (<< 2.1+1075-0ubuntu4) Replaces: apparmor-profiles (<< 2.1+1075-0ubuntu4)
Note: Technically 'Replaces' should be enough according to [http://www.debian.org/doc/debian-policy/ Debian Policy]. Observed behavior, however, shows if you install this package and then later the old version of apparmor-profiles, apparmor-profiles will overwrite your package's profile. The 'Conflicts' prevents this.
update the package's postinst script to reload apparmor:
# Reload AppArmor profile if [ -x /etc/init.d/apparmor ]; then invoke-rc.d apparmor force-reload || true fiThis is usually done as the last step in 'configure'.- copy the file to debian/apparmor-profile (making sure it is in 'enforce mode'
- update debian/rules to install the file. This step will require tailoring specific to the package
update README.Debian to have a clause like (being careful to format it like the other parts of the file):
Apparmor Profile ---------------- Ubuntu has added the apparmor profile /etc/apparmor.d/<profile name> to <package name>. Before filing a bug against <package name> or apparmor, please see: https://wiki.ubuntu.com/DebuggingApparmor
- bump the changelog version and describe all the changes made to the package using 'dch'