Translation(s): none

This page describes how to contribute to AppArmor, both upstream and in Debian packages.

There are several ways to do this:


Debian / Upstream relationship

We want to keep our delta with upstream as low as possible. If you want to submit a new profile or modify an existing one, this should be done upstream first. This process will also allow for better cross-distribution sharing and maintenance of profiles.

Every distribution has adopted a different strategy to handle their profiles. Most of Debian's AppArmor profiles are imported directly from the upstream repositories. The development of profiles takes place in Git: https://gitlab.com/apparmor/apparmor-profiles,

Ubuntu and openSUSE enable AppArmor by default. For Ubuntu, who base their profiles on the same upstream source, once a profile is "ready", it is taken out of the profile development branch and inserted directly into the corresponding package: e.g. the AppArmor profile for evince is included into Ubuntu's evince package.

In Debian, on the long run, a profile should also be delivered in the package that ships the software it is confining. This is already the case for some packages. However, for now package maintainers can still rely on the Debian AppArmor packaging team which provides additional profiles via the apparmor-profiles-extra package.

Upstream

Debian source package

Debian binary package

Ubuntu source package

Ubuntu binary package

apparmor

apparmor

apparmor and apparmor-profiles

apparmor

apparmor

apparmor-profiles

apparmor-profiles-extra

apparmor-profiles-extra

apparmor-profiles-extra

apparmor-profiles-extra

Ubuntu

apparmor-profiles-extra

apparmor-profiles-extra

tcpdump

tcpdump

Ubuntu

evince

evince

evince

evince

libvirt

libvirt

libvirt-daemon-system

libvirt

libvirt-daemon-system

Note: we merely use evince and libvirt as example packages in this table. The libvirt upstream tarball includes an own AppArmor profile, whereas the evince upstream tarball does not.

Contribute to upstream AppArmor profiles

Upstream AppArmor profiles live in many different repositories. This documentation focuses on contributing to profiles that live in the upstream apparmor-profiles repository, but the procedure is quite similar for the other repositories.

If you want to contribute to existing/upstream AppArmor profiles, you need to:

Get in touch with upstream

Get in touch with the Debian AppArmor Packaging team

To update Debian profiles from upstream, please contact the packaging team:


CategorySystemSecurity