4026
Comment: This page should disappear, clearing stuff we dont need
|
3495
testing part should go to debug page
|
Deletions are marked like this. | Additions are marked like this. |
Line 55: | Line 55: |
=== Test === In general, it is useful if a profile is tested by someone who's knowledgeable about the program that is being confined by the proposed profile, to make sure the confinement profile doesn't break common usecases. The package maintainer generally is one of the best-placed people to do this. In a nutshell, fire up a sid VM, `apt install apparmor`, add `apparmor=1 security=apparmor` to the kernel command-line, drop the profile in place, reboot and test the software at will (also see [[AppArmor/HowToUse]]). |
/FirstTimeProfileImport /MergeProfileFromUpstream /Upstream |
Ship AppArmor profiles with your package
If you, as a package maintainer, want to provide a profile with your package, you should first check if
that profile is included in apparmor-profiles-extra
→ then you can ?migrate it to the package that ships the application which is to be confined
that profile still needs to be created
→ then you will want to read how to contribute upstream and report a bug tagged "new-profile"
Migrate a profile to the package that ships the confined application
(TODO: describe how to migrate a profile from e.g. apparmor-profiles-extra to the actual package)
Package with dh_apparmor
dh_apparmor provides the debhelper tools used to install/migrate/remove AppArmor profiles. It also reloads the specified AppArmor profile in postinst using:
apparmor_parser -r -W -T /etc/apparmor.d/<profilename>
By using '-W -T' we ensure that any abstraction updates are also pulled in.
In order to use it, you will first need to add a Build-Dependency on dh-apparmor in debian/control:
Build-Depends: dh-apparmor
In debian/rules you will need install the AppArmor profiles to /etc/apparmor.d/, then run dh_apparmor on them.
Packages that have multiple binary packages need the '-p<package name>' parameter for dh_apparmor, otherwise dh_apparmor will add AppArmor reload commands for all packages rather than just the one that ships the profile.
Example from the vidalia package:
cp debian/apparmor-profile debian/vidalia/etc/apparmor.d/usr.bin.vidalia dh_apparmor --profile-name=usr.bin.vidalia -pvidalia
Example from the torbrowser-launcher package :
override_dh_install: for PROFILE in usr.bin.torbrowser-launcher torbrowser.Tor.tor torbrowser.start-tor-browser torbrowser.Browser.firefox ; do \ cp apparmor/$$PROFILE debian/torbrowser-launcher/etc/apparmor.d/ ; \ dh_apparmor --profile-name=$$PROFILE -ptorbrowser-launcher ; \ done
When including AppArmor profiles in a package, you might want to add to debian/control: Suggests: apparmor