[pmg-devel] [PATCH pmg-api] ship AppArmor feature file
Thomas Lamprecht
t.lamprecht at proxmox.com
Mon Aug 12 14:11:26 CEST 2019
Am 8/1/19 um 11:06 AM schrieb Stoiko Ivanov:
> With Debian Buster AppArmor is enabled by default. Since we use a different
> kernel (from pve) the pinned App Armor Feature ABI [0] shipped by upstream
> does lead to problems with certain applications, which have a aa profile (e.g.
> unbound)
>
> The postrm and preinst maintainer scripts are taken (with minor modifications
> of comments and replacement of the package name and version) from pve-lxc.
>
> The aa-feature file was generated by:
> * commenting the feature-file option in /etc/apparmor/parser.conf
> * removing the directories in /var/cache/apparmor/*
> * rebooting with 5.0.18-1-pve
> * copying the .features from /var/cache/apparmor/$hash/
>
> Tested by rebooting with the file and config in place and successfully starting
> unbound (with AA-profile present and in enforce mode).
>
> [0] https://gitlab.com/apparmor/apparmor/wikis/AppArmorFeatureABI
>
> Signed-off-by: Stoiko Ivanov <s.ivanov at proxmox.com>
> ---
> Huge Thanks to Fabian Gruenbichler and Wolfgang Bumiller for pointing me in the
> right direction! Would be grateful for a review by eyes more experienced with
> AA.
>
>
> debian/postrm | 24 +++++++++++++++
> debian/preinst | 27 +++++++++++++++++
> src/Makefile | 1 +
> src/aa-features | 78 +++++++++++++++++++++++++++++++++++++++++++++++++
> 4 files changed, 130 insertions(+)
> create mode 100644 debian/postrm
> create mode 100644 debian/preinst
> create mode 100644 src/aa-features
>
Is this still relevant? At least I cannot something else which replaced/voided
this..
More information about the pmg-devel
mailing list