Hello, Am Montag, 28. Juli 2014 schrieb Jamie Strandboge: > On 07/27/2014 12:47 PM, Christian Boltz wrote: > > I discussed a bit with intrigeri about a profile repo for > > cross-distribution usage and profile sharing. Here's the log - > > feedback welcome ;-)
> > [19:08:47] <cboltz> just as a quick idea: > > http://paste.opensuse.org/96760488 > > > > + apparmor-profiles > > |-- debian > > | |-- Wheezy > > | '-- Jessie > > |-- openSUSE > > | |-- 12.3 > > | '-- 13.1 > > '-- Ubuntu > > |-- Trusty_Tahr > > '-- Utopic_Unicorn > > This is the intent for apparmor-profiles, but so far only Ubuntu has > put profiles there. I think it would be great to have other distro > profiles in there. You've probably seen this, but in case you > haven't: > > http://wiki.apparmor.net/index.php/Profiles Yes, I know this page and the apparmor-profiles repo. > Now, the way Ubuntu handles profiles is that we ship production > distro-profiles in the packages themselves and the apparmor-profiles > repository is a place for in progress profiles or profiles that for > some reason don't fit with the distro. We ship the profiles in the > packages themselves so that package maintainers (ie, the people who > know the software being confined best) are able to update the > profiles and also to avoid a central profiles package that is gated > on a handful of developers (or fewer). As such, the apparmor-profiles > bzr repo doesn't have the profiles that Ubuntu actually ships (but we > do leave the profile file in place with a note on where to find the > official profile (see ubuntu/14.10/usr.bin.evince as an example). I think we had this discussion in the past already ;-) Shipping profiles in the respective package is nice if it works (and the package maintainers take care for the profile), and horrible if the maintainers don't care. For openSUSE, bugreports about AppArmor profiles tend to be assigned to me first (not a big surprise), and there are also a few packagers who include profiles in their package and care for the profiles. However, that's not the point of the cross-distribution repo ;-) The point is to a) have a place where _all profiles_ of _all distributions_ are available (no, I do not want the "this profile is maintained in $package" placeholders - instead, I'd like to have them automatically pulled from the packages regularly so that I don't have to hunt through the packages of 5 distributions - maybe do this in a subdirectory "maintained-in-package" (or "maintained-in- package/$package") to make clear where they come from) b) merge the profiles "upwards", for example from "openSUSE 13.1" to "openSUSE" (which ideally means "all supported releases" or at least "the next release") and finally to the global level for all distributions. The big goal is b), a) is just a way to make it easier ;-) I'm quite sure it's possible to create cross-distribution profiles (hint: we already do that with the profiles we ship in the AppArmor tarball ;-) The permissions and paths required for accessing binaries, libraries etc. are (nearly) the same everywhere, so that can easily be merged, even if we need some /{usr/,}bin/foo magic in some cases. Paths for data directories might differ, but it's easy to separate them out to tunables/ so that the main profile can be shared. That means a 99% win, with 1% distro-specific tunables/ remaining. Abstractions should be the same everywhere IMHO, so we should enforce that changed and new abstractions are always pushed to the apparmor repo. This also means to disallow abstractions in the apparmor-profiles repo. And finally - why should we do this? Easy answer: because programmers and packagers are lazy - it's easier to copy the cross-distro profile into your package (and maybe patch the tunables/ part) than maintaining a profile that is specific for your distro ;-) As a side effect ;-) we get profiles for more applications that (hopefully) work everywhere. Yes, I know merging profiles causes some work, but on the long term I hope it makes it easier for everybody. Regards, Christian Boltz -- > You say our final product doesn't have bugs worth tracking? No. Your final products are in general known for their bugginess. This could be a marketing decision to assure your jobs. ;-)) [> Stephan Kulow and Eberhard Mönkeberg in opensuse-factory] -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
