[pve-devel] [PATCH lxc 2/3] replace AA's feature-set with custom one

[Fabian Grünbichler]

Debian's apparmor package introduced feature-set pinning in Debian
Stretch 9.4 to prevent problems with AA profiles packaged in Debian
Stretch which target Debian Stretch's 4.9 based kernel.

Since our LXC profiles rely on features not included in this feature
set, we need to replace the pinned feature-set with our own.

The features file is not a conf-file, so it is possible to just
dpkg-divert it on installation/upgrades.

Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---
 debian/lxc-pve.install |  1 +
 debian/lxc-pve.postrm  | 23 +++++++++++++++++++++++
 debian/lxc-pve.preinst | 25 +++++++++++++++++++++++++
 3 files changed, 49 insertions(+)
 create mode 100644 debian/lxc-pve.postrm
 create mode 100644 debian/lxc-pve.preinst

diff --git a/debian/lxc-pve.install b/debian/lxc-pve.install
index 8ceffad..b34afff 100644
--- a/debian/lxc-pve.install
+++ b/debian/lxc-pve.install
@@ -9,3 +9,4 @@ usr/lib/*/lxc/hooks/*
 usr/lib/*/lxc/rootfs/README
 lib/systemd
 etc
+debian/features /usr/share/apparmor-features/
diff --git a/debian/lxc-pve.postrm b/debian/lxc-pve.postrm
new file mode 100644
index 0000000..de43c0b
--- /dev/null
+++ b/debian/lxc-pve.postrm
@@ -0,0 +1,23 @@
+#! /bin/sh
+
+set -e
+
+# remove diversion of apparmor feature pinning file, see preinst
+aa_feature_remove_diversion() {
+  dpkg-divert --package lxc-pve --remove --rename \
+      --divert /usr/share/apparmor-features/features.stock \
+      /usr/share/apparmor-features/features
+}
+
+case "$1" in
+  abort-upgrade)
+    if dpkg --compare-versions "$2" 'lt' '2.1.1-3'; then
+      aa_feature_remove_diversion
+    fi
+    ;;
+  remove|abort-install|disappear)
+    aa_feature_remove_diversion
+    ;;
+esac
+
+exit 0
diff --git a/debian/lxc-pve.preinst b/debian/lxc-pve.preinst
new file mode 100644
index 0000000..a2c7c50
--- /dev/null
+++ b/debian/lxc-pve.preinst
@@ -0,0 +1,25 @@
+#! /bin/sh
+
+set -e
+
+# divert apparmor feature pinning file
+# Debian 9.4+ pins to a kernel 4.9 feature set which breaks mount
+# mediation, among other things
+aa_feature_add_diversion() {
+  dpkg-divert --package lxc-pve --add --rename \
+      --divert /usr/share/apparmor-features/features.stock \
+      /usr/share/apparmor-features/features
+}
+
+case "$1" in
+  upgrade)
+    if dpkg --compare-versions "$2" 'lt' '2.1.1-3'; then
+      aa_feature_add_diversion
+    fi
+    ;;
+  *)
+    aa_feature_add_diversion
+    ;;
+esac
+
+exit 0
-- 
2.14.2