Hi Craig,
Craig Small wrote (04 Dec 2014 09:47:10 GMT) :
> On Wed, Dec 03, 2014 at 08:48:08PM -0600, Pat Parson wrote:
>> /bin/ps does not have an apparmor profile.
>> I have attached an apparmor profile to patch the package.
> Except for a basic concept, I'm not familiar with apparmour and Debian.
> The Debian wiki is not too helpful with it either.
Indeed. Thanks for getting in touch with us! In general, it's good if
new profiles are:
* reviewed by someone who's knowledgeable about AppArmor, to make
sure it actually offers some protection and respects various best
practices; pkg-apparmor-team can help with that, if needed by
asking on the upstream AppArmor list for advice (and even better,
a few upstream/Ubuntu AppArmor folks lead the list :)
* tested by someone who's knowledgeable about the program that is
being confined by the proposed profile, to make sure the
confinement profile doesn't break common usecases. The package
maintainer generally is one of the best-placed people to do this.
In a nutshell, fire up a sid VM, `apt install apparmor', add
`apparmor=1 security=apparmor' to the kernel command-line, drop
the profile in place, reboot and test at will.
> Is it just a matter of sticking this patch file into
> /etc/apparmor.d/bin.ps and then that's it?
A little bit more work is needed, particularly to load the profile in
postinst, but dh-apparmor deals with it just fine.
> It would be really useful if the Wiki had a "what happens if you
> get one of these profiles" page. For someone who understands how
> it works it should be a pretty quick page to write.
Right. The good news is that we have an OPW intern who'll start
working exactly on this kind of things in a few days :)
> A debhelper dh_* tool would even be better.
We've had dh-apparmor for a while :)
Cheers,
--
intrigeri
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
