Debian's apparmor package introduced feature-set pinning in Debian Stretch 9.4 to prevent problems with AA profiles packaged in Debian Stretch which target Debian Stretch's 4.9 based kernel.
Since our LXC profiles rely on features not included in this feature set, we need to replace the pinned feature-set with our own. The features file is not a conf-file, so it is possible to just dpkg-divert it on installation/upgrades. Signed-off-by: Fabian Grünbichler <[email protected]> --- debian/lxc-pve.install | 1 + debian/lxc-pve.postrm | 23 +++++++++++++++++++++++ debian/lxc-pve.preinst | 25 +++++++++++++++++++++++++ 3 files changed, 49 insertions(+) create mode 100644 debian/lxc-pve.postrm create mode 100644 debian/lxc-pve.preinst diff --git a/debian/lxc-pve.install b/debian/lxc-pve.install index 8ceffad..b34afff 100644 --- a/debian/lxc-pve.install +++ b/debian/lxc-pve.install @@ -9,3 +9,4 @@ usr/lib/*/lxc/hooks/* usr/lib/*/lxc/rootfs/README lib/systemd etc +debian/features /usr/share/apparmor-features/ diff --git a/debian/lxc-pve.postrm b/debian/lxc-pve.postrm new file mode 100644 index 0000000..de43c0b --- /dev/null +++ b/debian/lxc-pve.postrm @@ -0,0 +1,23 @@ +#! /bin/sh + +set -e + +# remove diversion of apparmor feature pinning file, see preinst +aa_feature_remove_diversion() { + dpkg-divert --package lxc-pve --remove --rename \ + --divert /usr/share/apparmor-features/features.stock \ + /usr/share/apparmor-features/features +} + +case "$1" in + abort-upgrade) + if dpkg --compare-versions "$2" 'lt' '2.1.1-3'; then + aa_feature_remove_diversion + fi + ;; + remove|abort-install|disappear) + aa_feature_remove_diversion + ;; +esac + +exit 0 diff --git a/debian/lxc-pve.preinst b/debian/lxc-pve.preinst new file mode 100644 index 0000000..a2c7c50 --- /dev/null +++ b/debian/lxc-pve.preinst @@ -0,0 +1,25 @@ +#! /bin/sh + +set -e + +# divert apparmor feature pinning file +# Debian 9.4+ pins to a kernel 4.9 feature set which breaks mount +# mediation, among other things +aa_feature_add_diversion() { + dpkg-divert --package lxc-pve --add --rename \ + --divert /usr/share/apparmor-features/features.stock \ + /usr/share/apparmor-features/features +} + +case "$1" in + upgrade) + if dpkg --compare-versions "$2" 'lt' '2.1.1-3'; then + aa_feature_add_diversion + fi + ;; + *) + aa_feature_add_diversion + ;; +esac + +exit 0 -- 2.14.2 _______________________________________________ pve-devel mailing list [email protected] https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
