Differences between revisions 67 and 68
Revision 67 as of 2015-01-29 16:50:18
Size: 3752
Editor: UlrikeUhlig
Comment: this is not a migration but a new profile
Revision 68 as of 2015-01-29 16:56:52
Size: 1824
Editor: UlrikeUhlig
Comment: move goal oriented stuff on contribute page. we leave only the package with dh_apparmor stuff here
Deletions are marked like this. Additions are marked like this.
Line 5: Line 5:

== Ship AppArmor profiles with your package ==

If you want to provide a profile with a package P, you should first check if
 * that profile '''[[https://anonscm.debian.org/cgit/collab-maint/apparmor-profiles-extra.git/tree/profiles | is included in apparmor-profiles-extra]]'''
   → then you can [[AppArmor/Contribute/ImportProfileFromExtra | migrate it to the package that ships the application which is to be confined]] and [[AppArmor/Reportbug | report a bug tagged "new-profile"]]
 * that '''[[https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles | profile is shipped in Ubuntu]] '''
   → then you will want to [[AppArmor/Contribute/MergeProfileFromUpstream | import the profile to apparmor-profiles-extra]] and [[AppArmor/Reportbug | report a bug tagged "merge-from-upstream"]] or [[AppArmor/Contribute/ImportProfileFromExtra | migrate it to the package that ships the application which is to be confined]] and [[AppArmor/Reportbug | report a bug tagged "migrate-profile"]]
 * that '''[[https://bazaar.launchpad.net/~apparmor-dev/apparmor-profiles/master/files/head:/ubuntu/ | profile already exists upstream]]'''
   → then you will want to [[AppArmor/Contribute/MergeProfileFromUpstream | import the profile to apparmor-profiles-extra]] [[AppArmor/Reportbug | report a bug tagged "merge-from-upstream"]] or [[AppArmor/Contribute/ImportProfileFromExtra | migrate it to the package that ships the application which is to be confined]] and [[AppArmor/Reportbug | report a bug tagged "migrate-profile"]]
 * that '''profile still needs to be created'''
   → then you will want to read how to [[AppArmor/Contribute/Upstream|contribute upstream]] and [[AppArmor/Reportbug | report a bug tagged "new-profile"]]

=== Migrate a profile to the package that ships the confined application ===

(TODO: describe how to migrate a profile from e.g. apparmor-profiles-extra to the actual package)


Package with dh_apparmor

dh_apparmor provides the debhelper tools used to install/migrate/remove AppArmor profiles. It also reloads the specified AppArmor profile in postinst using:

apparmor_parser -r -W -T /etc/apparmor.d/<profilename>

By using '-W -T' we ensure that any abstraction updates are also pulled in.

In order to use it, you will first need to add a Build-Dependency on dh-apparmor in debian/control:

Build-Depends: dh-apparmor

In debian/rules you will need install the AppArmor profiles to /etc/apparmor.d/, then run dh_apparmor on them.

Packages that have multiple binary packages need the '-p<package name>' parameter for dh_apparmor, otherwise dh_apparmor will add AppArmor reload commands for all packages rather than just the one that ships the profile.

Example from the vidalia package:

cp debian/apparmor-profile debian/vidalia/etc/apparmor.d/usr.bin.vidalia
dh_apparmor --profile-name=usr.bin.vidalia -pvidalia

Example from the torbrowser-launcher package :

override_dh_install:
    for PROFILE in usr.bin.torbrowser-launcher torbrowser.Tor.tor torbrowser.start-tor-browser torbrowser.Browser.firefox ; do \ 
        cp apparmor/$$PROFILE debian/torbrowser-launcher/etc/apparmor.d/ ; \
        dh_apparmor --profile-name=$$PROFILE -ptorbrowser-launcher ; \
done

When including AppArmor profiles in a package, you might want to add to debian/control:  Suggests: apparmor