[pmg-devel] [PATCH pmg-api] ship AppArmor feature file

Thomas Lamprecht t.lamprecht at proxmox.com
Mon Aug 12 14:32:36 CEST 2019


Am 8/12/19 um 2:24 PM schrieb Stoiko Ivanov:
> On Mon, 12 Aug 2019 14:11:26 +0200
> Thomas Lamprecht <t.lamprecht at proxmox.com> wrote:
> 
>> Am 8/1/19 um 11:06 AM schrieb Stoiko Ivanov:
>>> With Debian Buster AppArmor is enabled by default. Since we use a different
>>> kernel (from pve) the pinned App Armor Feature ABI [0] shipped by upstream
>>> does lead to problems with certain applications, which have a aa profile (e.g.
>>> unbound)
>>>
>>> The postrm and preinst maintainer scripts are taken (with minor modifications
>>> of comments and replacement of the package name and version) from pve-lxc.
>>>
>>> The aa-feature file was generated by:
>>> * commenting the feature-file option in /etc/apparmor/parser.conf
>>> * removing the directories in /var/cache/apparmor/*
>>> * rebooting with 5.0.18-1-pve
>>> * copying the .features from /var/cache/apparmor/$hash/
>>>
>>> Tested by rebooting with the file and config in place and successfully starting
>>> unbound (with AA-profile present and in enforce mode).
>>>
>>> [0] https://gitlab.com/apparmor/apparmor/wikis/AppArmorFeatureABI
>>>
>>> Signed-off-by: Stoiko Ivanov <s.ivanov at proxmox.com>
>>> ---
>>> Huge Thanks to Fabian Gruenbichler and Wolfgang Bumiller for pointing me in the
>>> right direction! Would be grateful for a review by eyes more experienced with
>>> AA.
>>>
>>>
>>>  debian/postrm   | 24 +++++++++++++++
>>>  debian/preinst  | 27 +++++++++++++++++
>>>  src/Makefile    |  1 +
>>>  src/aa-features | 78 +++++++++++++++++++++++++++++++++++++++++++++++++
>>>  4 files changed, 130 insertions(+)
>>>  create mode 100644 debian/postrm
>>>  create mode 100644 debian/preinst
>>>  create mode 100644 src/aa-features
>>>   
>>
>> Is this still relevant? At least I cannot something else which replaced/voided
>> this..
> 
> We had a short talk off-list with Fabian (Gruenbichler) - and he rightly pointed
> out that the logic behind the feature file is, that it should pin features used
> to the shipped profiles - so that a newer kernel version does not affect the
> workings of the profiles.
> 
> So the 'fix' of shipping an updated feature file is not really correct.
> I wanted to hunt this down some more, but did not yet get around to do so.
> 
> However since all PMG shipped services run happily with the shipped feature-file
> it was not on top of my prio-list.
> 

OK, thanks for the update. Then I'll keep this also on the back burner,
until it either becomes relevant or someone provides patches for a better
"fix".



More information about the pmg-devel mailing list