Translation(s): none

Contribute Upstream -- MergeProfileFromUpstream -- MergeToUpstream -- ImportProfileFromExtra -- FirstTimeProfileImport


Create a new AppArmor profile, or modify an existing one

We want to keep our delta with upstream as low as possible. Then, if you want to submit a new profile or modify an existing one, this should be done upstream first.

This process will also allow for better cross-distribution sharing and maintenance of profiles.

Debian / Upstream relationship

Every distribution has adopted a different strategy to handle their profiles. Most of Debian's AppArmor profiles are imported directly from the upstream repositories. The development of profiles takes place in Git at Launchpad:

Ubuntu and openSUSE ship AppArmor by default. For Ubuntu, who base their profiles on the same upstream source, once a profile is "ready", it is taken out of the profile development branch and inserted directly into the corresponding package: e.g. the AppArmor profile for evince is included into Ubuntu's evince package.

In Debian, on the long run, a profile should also be delivered in the package that ships the software it is confining. This is already the case for some packages. However, for now package maintainers can still rely on the Debian AppArmor packaging team which provides additional profiles via the apparmor-profiles-extra package.

Upstream

Debian source package

Debian binary package

Ubuntu source package

Ubuntu binary package

apparmor

apparmor

apparmor and apparmor-profiles

apparmor

apparmor

apparmor-profiles

apparmor-profiles-extra

apparmor-profiles-extra

apparmor-profiles

apparmor-profiles

Ubuntu

apparmor-profiles-extra

apparmor-profiles-extra

tcpdump

tcpdump

Ubuntu

evince

evince

evince

evince

libvirt

libvirt

libvirt-daemon-system

libvirt

libvirt-daemon-system

Note: we merely use evince and tlsdate as example packages in this table. The tlsdate upstream tarball includes an own AppArmor profile, whereas the evince upstream tarball does not. The evince Ubuntu binary package is shipped with its own AppArmor profile, whereas in Debian, this profile is shipped in the apparmor-profiles-extra-package.

Generate and update your profiles

The AppArmor crashcourse by Christian Boltz contains information on how to create a profile from scratch using aa-logprof and aa-genprof.

Please consult the "External links" section on the bottom of this page for more information on this topic.

Test your profiles

See Debugging a profile.

Quick howto contribute to upstream AppArmor profiles using Git

Upstream AppArmor profiles live in many different repositories. This documentation focuses on contributing to profiles that live in the upstream apparmor-profiles repository, but the procedure is quite similar for the other repositories.

If you want to contribute to existing/upstream AppArmor profiles, you need to:

  1. create an account on Canonical's launchpad;

  2. upload a SSH key to be able to push your changes.

You will also need to install the Git version control system:

apt-get install git

Go to or create a repository where you want to checkout the modifications:

git clone git+ssh://git.launchpad.net/apparmor-profiles
cd apparmor-profiles
ls

Create a topic branch:

git checkout -b BRANCHNAME origin/master

Then, start modifying the profiles using a text editor and test them. Testing is done through dis/enabling the profile. Once done, you can commit the changes to your local repository:

git add -p && git commit

Add a remote to push your changes:

git remote add USERNAME git+ssh://USERNAME@git.launchpad.net/~USERNAME/REPOSITORY

In ~/.ssh/config you might want to add

Host git.launchpad.net
HostName git.launchpad.net
User USERNAME
Port 22
IdentityFile ~/.ssh/id_rsa_launchpad

Now, to push the changes to your remote repository, by creating a remote branch directly:

git push USERNAME BRANCHNAME

Then you will be able to request a merge through the web interface. Go to https://code.launchpad.net/~USERNAME/apparmor-profiles/+git/apparmor-profiles, click on your branch, and find the "Propose for merging" button. In the target "Target reference path:" field you need to specify "master".

(More details in the upstream documentation: https://help.launchpad.net/Code/Git)

Get in touch with upstream

Get in contact with upstream over the AppArmor upstream mailing list. It's where you can discuss anything that is not a merge request with the rest of the AppArmor community.

In order to get a new profile into the upstream apparmor-profiles package, you should file a bug against apparmor over at Launchpad.

Inform the Debian AppArmor Packaging team

When you feel the need to create a new profile or to modify an existing one, we encourage you to report a bug with the usertag "new-profile" or "modify-profile" to the Debian BTS, in order to inform the Debian AppArmor Packaging Team.

External documentation about profiles

The AppArmor wiki provides numerous documentation on how to contribute upstream. Here are some useful links: