Differences between revisions 62 and 63
Revision 62 as of 2015-01-27 14:00:08
Size: 4026
Editor: UlrikeUhlig
Comment: This page should disappear, clearing stuff we dont need
Revision 63 as of 2015-01-27 17:51:57
Size: 3495
Editor: UlrikeUhlig
Comment: testing part should go to debug page
Deletions are marked like this. Additions are marked like this.
Line 55: Line 55:

=== Test ===

In general, it is useful if a profile is tested by someone who's knowledgeable about the program that is being confined by the proposed profile, to make sure the confinement profile doesn't break common usecases. The package maintainer generally is one of the best-placed people to do this.

In a nutshell, fire up a sid VM, `apt install apparmor`, add `apparmor=1 security=apparmor` to the kernel command-line, drop the profile in place, reboot and test the software at will (also see [[AppArmor/HowToUse]]).


Ship AppArmor profiles with your package

If you, as a package maintainer, want to provide a profile with your package, you should first check if

Migrate a profile to the package that ships the confined application

(TODO: describe how to migrate a profile from e.g. apparmor-profiles-extra to the actual package)

Package with dh_apparmor

dh_apparmor provides the debhelper tools used to install/migrate/remove AppArmor profiles. It also reloads the specified AppArmor profile in postinst using:

apparmor_parser -r -W -T /etc/apparmor.d/<profilename>

By using '-W -T' we ensure that any abstraction updates are also pulled in.

In order to use it, you will first need to add a Build-Dependency on dh-apparmor in debian/control:

Build-Depends: dh-apparmor

In debian/rules you will need install the AppArmor profiles to /etc/apparmor.d/, then run dh_apparmor on them.

Packages that have multiple binary packages need the '-p<package name>' parameter for dh_apparmor, otherwise dh_apparmor will add AppArmor reload commands for all packages rather than just the one that ships the profile.

Example from the vidalia package:

cp debian/apparmor-profile debian/vidalia/etc/apparmor.d/usr.bin.vidalia
dh_apparmor --profile-name=usr.bin.vidalia -pvidalia

Example from the torbrowser-launcher package :

override_dh_install:
    for PROFILE in usr.bin.torbrowser-launcher torbrowser.Tor.tor torbrowser.start-tor-browser torbrowser.Browser.firefox ; do \ 
        cp apparmor/$$PROFILE debian/torbrowser-launcher/etc/apparmor.d/ ; \
        dh_apparmor --profile-name=$$PROFILE -ptorbrowser-launcher ; \
done

When including AppArmor profiles in a package, you might want to add to debian/control:  Suggests: apparmor