[pmg-devel] [PATCH pmg-api] ship AppArmor feature file
Stoiko Ivanov
s.ivanov at proxmox.com
Mon Aug 12 14:24:20 CEST 2019
On Mon, 12 Aug 2019 14:11:26 +0200
Thomas Lamprecht <t.lamprecht at proxmox.com> wrote:
> Am 8/1/19 um 11:06 AM schrieb Stoiko Ivanov:
> > With Debian Buster AppArmor is enabled by default. Since we use a different
> > kernel (from pve) the pinned App Armor Feature ABI [0] shipped by upstream
> > does lead to problems with certain applications, which have a aa profile (e.g.
> > unbound)
> >
> > The postrm and preinst maintainer scripts are taken (with minor modifications
> > of comments and replacement of the package name and version) from pve-lxc.
> >
> > The aa-feature file was generated by:
> > * commenting the feature-file option in /etc/apparmor/parser.conf
> > * removing the directories in /var/cache/apparmor/*
> > * rebooting with 5.0.18-1-pve
> > * copying the .features from /var/cache/apparmor/$hash/
> >
> > Tested by rebooting with the file and config in place and successfully starting
> > unbound (with AA-profile present and in enforce mode).
> >
> > [0] https://gitlab.com/apparmor/apparmor/wikis/AppArmorFeatureABI
> >
> > Signed-off-by: Stoiko Ivanov <s.ivanov at proxmox.com>
> > ---
> > Huge Thanks to Fabian Gruenbichler and Wolfgang Bumiller for pointing me in the
> > right direction! Would be grateful for a review by eyes more experienced with
> > AA.
> >
> >
> > debian/postrm | 24 +++++++++++++++
> > debian/preinst | 27 +++++++++++++++++
> > src/Makefile | 1 +
> > src/aa-features | 78 +++++++++++++++++++++++++++++++++++++++++++++++++
> > 4 files changed, 130 insertions(+)
> > create mode 100644 debian/postrm
> > create mode 100644 debian/preinst
> > create mode 100644 src/aa-features
> >
>
> Is this still relevant? At least I cannot something else which replaced/voided
> this..
We had a short talk off-list with Fabian (Gruenbichler) - and he rightly pointed
out that the logic behind the feature file is, that it should pin features used
to the shipped profiles - so that a newer kernel version does not affect the
workings of the profiles.
So the 'fix' of shipping an updated feature file is not really correct.
I wanted to hunt this down some more, but did not yet get around to do so.
However since all PMG shipped services run happily with the shipped feature-file
it was not on top of my prio-list.
More information about the pmg-devel
mailing list