Differences between revisions 65 and 77 (spanning 12 versions)
Revision 65 as of 2020-01-31 19:01:18
Size: 3129
Editor: nodiscc
Comment: remove link to redirection page
Revision 77 as of 2020-02-01 13:10:37
Size: 6737
Editor: nodiscc
Comment: move all content from Contribute/Upstream
Deletions are marked like this. Additions are marked like this.
Line 2: Line 2:
<<Navigation(siblings,1)>>
----
~-[[DebianWiki/EditorGuide#translation|Translation(s)]]: none-~

This page describes how to contribute to [[AppArmor]], both upstream and in Debian packages.


There are several ways to do this:

 * [[AppArmor/HowToUse|Enable AppArmor]], enforce a bunch of profiles, [[AppArmor/Debug|test]] and [[AppArmor/Reportbug|report bugs]] and/or happiness.
 * [[#Contribute_to_upstream_AppArmor_profiles|Contribute to upstream profiles]]
 * [[AppArmor/Debug#Edit_AppArmor_profiles|Create your own profiles]]
 * [[AppArmor/Contribute/MergeProfileFromUpstream|Update profiles shipped in apparmor-profiles-extra to the latest upstream version]]
 * Fix bugs in [[https://udd.debian.org/bugs.cgi?release=sid&merged=ign&fnewerval=7&flastmodval=7&apparmor=1&sortby=id&sorto=asc|the packages we maintain]]
 * Fix bugs in the DebianPts:apparmor package
 * Fix [[https://udd.debian.org/cgi-bin/bts-usertags.cgi?user=pkg-apparmor-team@lists.alioth.debian.org|usertagged bugs]]
 * Read, organize and update the [[AppArmor|Documentation]] and the [[AppArmor/Progress|progress tracking page]]
 * As a Debian package maintainer, [[AppArmor/Contribute/FirstTimeProfileImport|use dh_apparmor to import a profile to your package]]


Line 6: Line 23:
This page explains how to contribute to !AppArmor in Debian.

== Infrastructure ==

 * [[https://salsa.debian.org/apparmor-team/|Salsa project]]
 * [[https://alioth.debian.org/scm/browser.php?group_id=100952| Git repository for UDD usertag script]]
 * [[https://udd.debian.org/bugs.cgi?release=sid&merged=ign&fnewerval=7&flastmodval=7&apparmor=1&sortby=id&sorto=asc|Bugs in the packages we maintain]]

<<Anchor(contactteam)>>
== Interacting with the team ==

 * '''Email''': pkg-apparmor-team@lists.alioth.debian.org (see https://lists.alioth.debian.org/mailman/listinfo/pkg-apparmor-team for mailing list archives)
 * '''IRC''': ''#apparmor'' on irc.oftc.net (general AppArmor discussion channel)

== Current status ==

 * AppArmor is supported since Debian 7 (Wheezy).
 * See the [[AppArmor/Progress|progress tracking page]].

== How to participate ==

=== Ship an AppArmor profile in "your" package ===

 * [[AppArmor/Contribute/FirstTimeProfileImport | Import a profile to a package for the first time]], that is learn how to package using `dh_apparmor`
 * To create a completely new profile, see the [[AppArmor/Contribute#Create_new_profiles | "Create new profiles" section]].
 * [[AppArmor/Debug | Debug and test]]

=== Improve quality of AppArmor profiles ===

==== Use AppArmor ====

[[AppArmor/HowToUse|Enable AppArmor]], enforce a bunch of profiles, [[AppArmor/Debug | test]] and [[AppArmor/Reportbug | report bugs]] and/or happiness.
----
Line 40: Line 26:
==== Create new profiles ==== == Debian / Upstream relationship ==
Line 42: Line 28:
We want to keep our delta with upstream as low as possible. If you want to submit a new profile, this [[AppArmor/Contribute/Upstream|should be done upstream first]]. '''We want to keep our delta with upstream as low as possible.''' If you want to submit a new profile or modify an existing one, this should be done '''upstream first'''. This process will also allow for better cross-distribution sharing and maintenance of profiles.
Line 44: Line 30:
 * The AppArmor parser ''silently'' ignores rules that are not supported by the running kernel. To check which rules are actually enforced, pass the `--warn=rules-not-enforced --warn=rule-downgraded` options to `apparmor_parser`.
 * [[AppArmor#External_links|Learn more]]
Every distribution has adopted a different strategy to handle their profiles.
Most of Debian's !AppArmor profiles are imported directly from the upstream repositories. The development of profiles takes place in Git: https://gitlab.com/apparmor/apparmor-profiles,
Line 47: Line 33:
==== Import Upstream changes to Debian ==== Ubuntu and openSUSE enable !AppArmor by default. For Ubuntu, who base their profiles on the same upstream source, once a profile is "ready", it is [[https://wiki.ubuntu.com/ApparmorProfileMigration | taken out of the profile development branch and inserted directly into the corresponding package]]: e.g. the !AppArmor profile for `evince` is included into Ubuntu's evince package.
Line 49: Line 35:
[[AppArmor/Contribute/MergeProfileFromUpstream | Update profiles shipped in apparmor-profiles-extra to the latest upstream version]] In Debian, on the long run, a profile should also be delivered in the package that ships the software it is confining. This is already the case for [[https://wiki.debian.org/AppArmor/Progress#Included_in_the_corresponding_package|some packages]]. However, for now package maintainers can still rely on the Debian !AppArmor packaging team which provides additional profiles via the DebianPkg:apparmor-profiles-extra package.

||<style="background-color: lightgrey;">Upstream ||<style="background-color: lightgrey;">Debian source package ||<style="background-color: lightgrey;">Debian binary package ||<style="background-color: lightgrey;">Ubuntu source package ||<style="background-color: lightgrey;">Ubuntu binary package ||
|| [[https://gitlab.com/apparmor/apparmor|apparmor]] || DebianPts:apparmor || DebianPkg:apparmor and DebianPkg:apparmor-profiles || [[http://packages.ubuntu.com/source/apparmor|apparmor]] || [[http://packages.ubuntu.com/apparmor|apparmor]] ||
|| [[https://gitlab.com/apparmor/apparmor-profiles|apparmor-profiles]] || DebianPts:apparmor-profiles-extra || DebianPkg:apparmor-profiles-extra || [[http://packages.ubuntu.com/source/apparmor-profiles-extra|apparmor-profiles-extra]] || [[http://packages.ubuntu.com/apparmor-profiles-extra|apparmor-profiles-extra]] ||
|| Ubuntu || DebianPts:apparmor-profiles-extra || DebianPkg:apparmor-profiles-extra || [[https://launchpad.net/ubuntu/+source/tcpdump|tcpdump]] || [[http://packages.ubuntu.com/tcpdump|tcpdump]]||
|| Ubuntu || DebianPts:evince || DebianPkg:evince || [[https://launchpad.net/ubuntu/+source/evince|evince]] || [[http://packages.ubuntu.com/evince|evince]]||
|| libvirt || DebianPts:libvirt || DebianPkg:libvirt-daemon-system || [[https://launchpad.net/ubuntu/+source/libvirt|libvirt]] || [[http://packages.ubuntu.com/libvirt-daemon-system|libvirt-daemon-system]]||

Note: we merely use `evince` and `libvirt` as example packages in this table. The libvirt upstream tarball includes an own !AppArmor profile, whereas the evince upstream tarball does not.

== Contribute to upstream AppArmor profiles ==

[[#Debian_.2F_Upstream_relationship|Upstream AppArmor profiles live in many different repositories.]] This documentation focuses on contributing to profiles that live in the [[https://gitlab.com/apparmor/apparmor-profiles | upstream apparmor-profiles repository]], but the procedure is quite similar for the other repositories.

If you want to contribute to existing/upstream AppArmor profiles, you need to:

 * Generate and update your profiles: see '''[[AppArmor/HowToUse#Edit_AppArmor_profiles]]'''
 * Test your profiles: see [[AppArmor/Debug]]
 * create an account on [[https://gitlab.com/|GitLab.com]]
 * upload a SSH key to be able to push your changes.
 * install the Git version control system: `sudo apt install git`
 * Fork the upstream project: https://gitlab.com/apparmor/apparmor-profiles/forks/new
 * `git clone` your brand new fork.
 * Create a topic branch `git checkout -b BRANCHNAME origin/master`
 * [[AppArmor/HowToUse#Edit_AppArmor_profiles|Edit the profile, install/reload it]], and [[AppArmor/Debug|test it]]
 * Once done, you can commit the changes to your local repository: `git add -p && git commit`
 * Push the changes to your remote repository on a dedicated branch: `git push -u origin BRANCHNAME`
 * Then you will see a link that proposes you send a merge request through the web interface.
Line 52: Line 66:
=== Debug, report triage and fix bugs === == Get in touch with upstream ==
Line 54: Line 68:
 * [[AppArmor/Debug | Debug AppArmor profiles]]
 * [[AppArmor/Reportbug | Report and triage bugs]] and/or happiness
 * '''Fix bugs''' in [[https://udd.debian.org/bugs.cgi?release=sid&merged=ign&fnewerval=7&flastmodval=7&apparmor=1&sortby=id&sorto=asc|the packages we maintain]]
 * '''Fix bugs''' in the DebianPts:apparmor package
 * '''Fix usertagged''' [[https://udd.debian.org/cgi-bin/bts-usertags.cgi?user=pkg-apparmor-team@lists.alioth.debian.org|bugs]]
 * [[https://lists.ubuntu.com/mailman/listinfo/apparmor|AppArmor upstream mailing list]] - anything that is not a merge request
 * [[https://help.ubuntu.com/community/ReportingBugs|file a bug against apparmor on Launchpad]] - to get a new profile into the upstream apparmor-profiles package (see also [[https://gitlab.com/apparmor/apparmor/-/wikis/Launchpadtutorial|Launchpad tutorial]])
Line 60: Line 71:
=== Miscellaneous === == Get in touch with the Debian AppArmor Packaging team ==
Line 62: Line 73:
 * '''Organize''' by keeping the [[AppArmor/Progress|progress tracking page]] up-to-date
 * '''Documentation''': improve the [[AppArmor/HowToUse|documentation about the user side of things]]
To update Debian profiles from upstream, please contact the packaging team:
Line 65: Line 75:
== Tools ==  * pkg-apparmor-team@lists.alioth.debian.org mailing list
  * [[https://lists.alioth.debian.org/mailman/listinfo/pkg-apparmor-team|mailing list archives]]
 * `#apparmor` [[IRC|IRC channel]] on irc.oftc.net
 * [[AppArmor/Reportbug | report a bug with the usertag "new-profile" or "modify-profile"]]
 * [[https://salsa.debian.org/apparmor-team/|AppArmor Salsa project]]
Line 67: Line 81:
In order to organize the Debian Wiki documentation about !AppArmor, we have set up a set of [[AppArmor/UserStories | user stories]].

Translation(s): none

This page describes how to contribute to AppArmor, both upstream and in Debian packages.

There are several ways to do this:


Debian / Upstream relationship

We want to keep our delta with upstream as low as possible. If you want to submit a new profile or modify an existing one, this should be done upstream first. This process will also allow for better cross-distribution sharing and maintenance of profiles.

Every distribution has adopted a different strategy to handle their profiles. Most of Debian's AppArmor profiles are imported directly from the upstream repositories. The development of profiles takes place in Git: https://gitlab.com/apparmor/apparmor-profiles,

Ubuntu and openSUSE enable AppArmor by default. For Ubuntu, who base their profiles on the same upstream source, once a profile is "ready", it is taken out of the profile development branch and inserted directly into the corresponding package: e.g. the AppArmor profile for evince is included into Ubuntu's evince package.

In Debian, on the long run, a profile should also be delivered in the package that ships the software it is confining. This is already the case for some packages. However, for now package maintainers can still rely on the Debian AppArmor packaging team which provides additional profiles via the apparmor-profiles-extra package.

Upstream

Debian source package

Debian binary package

Ubuntu source package

Ubuntu binary package

apparmor

apparmor

apparmor and apparmor-profiles

apparmor

apparmor

apparmor-profiles

apparmor-profiles-extra

apparmor-profiles-extra

apparmor-profiles-extra

apparmor-profiles-extra

Ubuntu

apparmor-profiles-extra

apparmor-profiles-extra

tcpdump

tcpdump

Ubuntu

evince

evince

evince

evince

libvirt

libvirt

libvirt-daemon-system

libvirt

libvirt-daemon-system

Note: we merely use evince and libvirt as example packages in this table. The libvirt upstream tarball includes an own AppArmor profile, whereas the evince upstream tarball does not.

Contribute to upstream AppArmor profiles

Upstream AppArmor profiles live in many different repositories. This documentation focuses on contributing to profiles that live in the upstream apparmor-profiles repository, but the procedure is quite similar for the other repositories.

If you want to contribute to existing/upstream AppArmor profiles, you need to:

Get in touch with upstream

Get in touch with the Debian AppArmor Packaging team

To update Debian profiles from upstream, please contact the packaging team:


CategorySystemSecurity