- Create a new AppArmor profile, or modify an existing one
- Debian / Upstream relationship
- Generate and update your profiles
- Test your profiles
- Quick howto contribute to upstream AppArmor profiles using Git
- Get in touch with upstream
- Inform the Debian AppArmor Packaging team
- External documentation about profiles
Create a new AppArmor profile, or modify an existing one
We want to keep our delta with upstream as low as possible. Then, if you want to submit a new profile or modify an existing one, this should be done upstream first.
This process will also allow for better cross-distribution sharing and maintenance of profiles.
Debian / Upstream relationship
Every distribution has adopted a different strategy to handle their profiles. Most of Debian's AppArmor profiles are imported directly from the upstream repositories. The development of profiles takes place in Git at Launchpad:
Ubuntu and openSUSE ship AppArmor by default. For Ubuntu, who base their profiles on the same upstream source, once a profile is "ready", it is taken out of the profile development branch and inserted directly into the corresponding package: e.g. the AppArmor profile for evince is included into Ubuntu's evince package.
In Debian, on the long run, a profile should also be delivered in the package that ships the software it is confining. This is already the case for some packages. However, for now package maintainers can still rely on the Debian AppArmor packaging team which provides additional profiles via the apparmor-profiles-extra package.
Debian source package
Debian binary package
Ubuntu source package
Ubuntu binary package
Note: we merely use evince and tlsdate as example packages in this table. The tlsdate upstream tarball includes an own AppArmor profile, whereas the evince upstream tarball does not. The evince Ubuntu binary package is shipped with its own AppArmor profile, whereas in Debian, this profile is shipped in the apparmor-profiles-extra-package.
Generate and update your profiles
Please consult the "External links" section on the bottom of this page for more information on this topic.
Test your profiles
See Debugging a profile.
Quick howto contribute to upstream AppArmor profiles using Git
Upstream AppArmor profiles live in many different repositories. This documentation focuses on contributing to profiles that live in the upstream apparmor-profiles repository, but the procedure is quite similar for the other repositories.
If you want to contribute to existing/upstream AppArmor profiles, you need to:
You will also need to install the Git version control system:
apt-get install git
Go to or create a repository where you want to checkout the modifications:
git clone git+ssh://git.launchpad.net/apparmor-profiles cd apparmor-profiles ls
Create a topic branch:
git checkout -b BRANCHNAME origin/master
Then, start modifying the profiles using a text editor and test them. Testing is done through dis/enabling the profile. Once done, you can commit the changes to your local repository:
git add -p && git commit
Add a remote to push your changes:
git remote add USERNAME git+ssh://USERNAME@git.launchpad.net/~USERNAME/REPOSITORY
In ~/.ssh/config you might want to add
Host git.launchpad.net HostName git.launchpad.net User USERNAME Port 22 IdentityFile ~/.ssh/id_rsa_launchpad
Now, to push the changes to your remote repository, by creating a remote branch directly:
git push USERNAME BRANCHNAME
Then you will be able to request a merge through the web interface. Go to https://code.launchpad.net/~USERNAME/apparmor-profiles/+git/apparmor-profiles, click on your branch, and find the "Propose for merging" button. In the target "Target reference path:" field you need to specify "master".
(More details in the upstream documentation: https://help.launchpad.net/Code/Git)
Get in touch with upstream
In order to get a new profile into the upstream apparmor-profiles package, you should file a bug against apparmor over at Launchpad.
Inform the Debian AppArmor Packaging team
When you feel the need to create a new profile or to modify an existing one, we encourage you to report a bug with the usertag "new-profile" or "modify-profile" to the Debian BTS, in order to inform the Debian AppArmor Packaging Team.
External documentation about profiles
The AppArmor wiki provides numerous documentation on how to contribute upstream. Here are some useful links:
Introduction to the AppArmor profile language explains how to match files and what the different permissions mean.