2977
Comment: move external links from ImportProfileFromExtra
|
← Revision 86 as of 2020-01-31 18:45:15 ⇥
2977
fix syntax
|
Deletions are marked like this. | Additions are marked like this. |
Line 72: | Line 72: |
- [[https://wiki.ubuntu.com/ApparmorProfileMigration|ApparmorProfileMigration - Ubuntu wiki]] | * [[https://wiki.ubuntu.com/ApparmorProfileMigration|ApparmorProfileMigration - Ubuntu wiki]] |
Translation(s): none
Contents
First time profile import
First you should verify if the profile is included in apparmor-profiles-extra.
If you want to ship an existing AppArmor profile confining software S in the Debian package that ships S you'll need to do a first time import of this profile to the package. One would do that using dh_apparmor.
Package using dh_apparmor
dh_apparmor provides the debhelper tools used to install/migrate/remove AppArmor profiles. It also reloads the specified AppArmor profile in postinst using:
apparmor_parser -r -W -T /etc/apparmor.d/<profilename>
By using '-W -T' we ensure that any abstraction updates are also pulled in.
debian/control
In order to use it, you will first need to add a Build-Dependency on dh-apparmor in debian/control:
Build-Depends: dh-apparmor
When including AppArmor profiles in a package, you might want to add Suggests: apparmor to debian/control.
There are cases when included profiles can't be parsed with older versions of apparmor_parser, and then if AppArmor is enabled, the apparmor service will fail to start due to a parsing error. The best way to make this breakage explicit would be:
Breaks: apparmor (<< $REQUIRED_VERSION)
Installing the profiles
In debian/rules you will need install the AppArmor profiles to /etc/apparmor.d/, then run dh_apparmor on them.
Packages that have multiple binary packages need the '-p<package name>' parameter for dh_apparmor, otherwise dh_apparmor will add AppArmor reload commands for all packages rather than just the one that ships the profile.
Examples
Example from the vidalia package:
cp debian/apparmor-profile debian/vidalia/etc/apparmor.d/usr.bin.vidalia dh_apparmor --profile-name=usr.bin.vidalia -pvidalia
Example from the torbrowser-launcher package :
override_dh_install: for PROFILE in usr.bin.torbrowser-launcher torbrowser.Tor.tor torbrowser.start-tor-browser torbrowser.Browser.firefox ; do \ cp apparmor/$$PROFILE debian/torbrowser-launcher/etc/apparmor.d/ ; \ dh_apparmor --profile-name=$$PROFILE -ptorbrowser-launcher ; \ done
Debug
Then, you'll need to test and debug.