[Pkg-xfce-devel] [pkg-apparmor] Support for shipping AppArmor profiles in Debian (lightdm)

intrigeri intrigeri at debian.org
Thu Mar 12 14:15:51 UTC 2015


Hi Yves-Alexis & Cameron,

first of all, thanks for the feedback. Replies inline below.

Cameron Norman wrote (02 Mar 2015 20:39:39 GMT) :
> On Mar 2, 2015 12:28 PM, "Yves-Alexis Perez" <corsac at debian.org> wrote:
>> Actually, we already had issues with the AppArmor profile in the past,
>> because it was too recent for the current AppArmor utilities. The
>> AppArmor profile is provided directly by upstream (which evolves in
>> Ubuntu circles), so it might not be perfect for Debian I'm not an
>> AppArmor user myself, so I can't really test, but am really interested
>> in any comment you might have.

> So recent versions of apparmor do not fail to parse rules it does not know
> about, as long as the syntax is right. This should ensure the profile
> currently and continues to work without issue.

Indeed, that's been the case since AppArmor 2.9 reached Debian :)

Sorry I didn't ping all maintainers yet to tell them they can revert
the changes we had them do earlier in the Jessie cycle. (I've done so
for cups a few days ago, but forgot about lightdm.)

So, I've had a look at the lightdm 1.12.2-1 source package, and
indeed, at least these parts of patches/02_fix-apparmor-profile.patch
can now be dropped:

-  #include <abstractions/dbus-accessibility>

[...]

-  signal peer=@{profile_name},
-  ptrace peer=@{profile_name},
-  # needed when logging out of the guest session
-  signal (receive) peer=unconfined,
+  # this doesn't work with the current Debian apparmor
+  #signal peer=@{profile_name},
+  #ptrace peer=@{profile_name},
+  ## needed when logging out of the guest session
+  #signal (receive) peer=unconfined,

> I run lightdm and use apparmor and can test the profile shipped upstream
> when i get home.

If you're running sid, then you would be the ideal candidate to ensure
any future lightdm breakage caused by its AppArmor profile turns on
red lights in a timely manner, even if Yves-Alexis doesn't test the
packages he uploads with AppArmor enabled :)

Cheers,
-- 
intrigeri



More information about the Pkg-xfce-devel mailing list