20/08/2015 - cboltz: samba in OpenSuSE updates aa profiles based on a config file which mentions the shares so that they are accessible. - intrigeri suggests that we should open a deb bug to track OpenSuSE's solution for this but won't work on samba profiles himself. - re-reading apparmor ml upstream mails to find out current discussion about cross distro profiles - auditd - adm user bug, needs to run as root atm. enable aa by default in debian - we basically agreed to that already. aa-profiles-extra : start moving the profiles to the individual packages complain mode - cross profile git repo * ubuntu/current * ubuntu/trusty * debian/current * debian/jessie * debian/stretch * opensuse/factory => we would only work on current and the other branches would be in "maintenance" mode" => git is now supported on launchpad, so we can switch to it for cross distro maintenance. => profiles would be automatically pulled from packages and inserted into this git repo * use tunables for distro specific abstractions/adjustments? * should ubuntu-* abstractions be made generic? (basically the same in debian, but not for opensuse) * we need a transition period, where we would rename current abstraction to a generic name and make those call the current abstraction during the migration period * what should happen to the existing abstractions? * maybe they should be in the same place (cross distro repo) -> tbd * ship a machine-readable metadata profile which documents where/how each profile is shipped * note if a profile is shipped in enforce or complain mode too eg in debian/jessie branch: - usr.bin.evince: package: apparmor-profiles-extra filename_in_source_pkg: profiles/usr.bin.evince mode: enforce eg in ubuntu/vivid branch: - usr.bin.evince package: evince filename_in_source_pkg: debian/apparmor-profile mode: enforce eg in opensuse/current: - usr.bin.smbd package: apparmor-profiles filename_in_source_pkg: etc/apparmor.d/usr.sbin.smbd mode: complain => format of those files could be yaml * automatic pulling from ubuntu is possible, using a specific URL * automatic pulling from debian, not yet possible steps: * set up repo * pull all profiles to main branch * then distro specific modifications in each distro branch * if a distro does not ship a certain profile, we would not delete this file from the branch, we would instead have a field in the metadata file: * metadata files should also live in branches so that we have the history of those ---------------------------------------------------- we need 2 sets of branches : * automatically updated (auto) * manually updated (feature) In AUTO we automatically pull automatically the profiles from packages of each distribution. => in auto we find the state of profiles as they are in the current distributions auto /debian/jessie /debian/current /opensuse/current /ubuntu/current // package maintainers and pk-apparmor-team work on this branch. // we can have profiles here but we dont need to. // when wip is finished, we could remove the files from those branches after they were merged into auto. wip /debian/jessie /debian/current /opensuse/current // if debian/current and opensuse/current are in sync for the same profile, the profile can go into master. master (contains profiles which are "the holy grail" where the profiles are all in the same shape) we fork topic branches off of the master branch and each distribution can merge the topic branches it wants to use into wip/BLAH namespace: /topic/$app_$something Question: do we know which application upstream version a profile works with? => We could add this information to the metadata file (eg "known to work with x.x.x") cboltz: if profiles are available in an upstream tarball, we might not need to have them in master => intrigeri proposes a blacklist of profiles Bootstrapping process ===================== * initial empty commit so that all the branches share the same parent. example topic branch: * master -> topic/ping_ipv8 -> merge into wip/debian/jessie and wip/opensuse/something -> then it can be merged into master then topic/ping_ipv8 will become master * wip/debian/jessie with ping_ipv8 will go into ping package and the auto importer will import the content change (not the git history, that is) back into auto/debian/jessie -> we need notifications when the diff between different branches (master - auto - wip) is not empty. * we still need to decide if the abstractions should go into the cross-distro-repository how do we go from the current state to our cross distro repo? intri's notes ============ XXX: merge with above notes XXX: extract remaining discussion topics [apparmor] Centralized or distributed policy [apparmor] cross-distribution profile repo * complain mode? * move profiles from aa-p-e to the affected individual packages * what to do with "extra" packages from apparmor upstream tarball? - move to a profiles repo? branches: 2.9 2.10 ubuntu/current ubuntu/trusty debian/current debian/jessie debian/stretch (post-freeze) opensuse/current ... => what to do once we've (almost) all converged? * have these branches *automatically* updated - Debian: * http://codesearch.debian.net/search?q=%2Fetc%2Fapparmor.d * apt-file * Suggests: apparmor - Ubuntu: * <53FE9111.9070202@canonical.com> * http://anonscm.debian.org/gitweb/?p=collab-maint/apparmor-profiles-extra.git;a=blob;f=debian/scripts/pull-profile-from-ubuntu - OpenSuSE: XXX * use tunables for distro-specific adjustments * what to do with ubuntu-* abstractions? make them generic, rename to generic name, and make them load the renamed one to ease migration * abstractions in the shared profiles repo: OK temporarily as a way to improve/refactor WIP profiles before they go upstream * profiles and abstractions from the apparmor tarball: move them to the shared profiles repo? on each branch, have a machine-readable metadata file that documents where/how each profile is shipped: XXX: name of this file e.g. in debian/jessie branch: - usr.bin.evince: package: apparmor-profiles-extra filename_in_source_package: profiles/usr.bin.evince mode: enforce to express that a profile is *not* shipped in the distro: - usr.bin.skype: package: e.g. in ubuntu/vivid branch: - usr.bin.evince: package: evince filename_in_source_package: debian/apparmor-profile mode: enforce e.g. in opensuse/current: - usr.bin.smbd: package: apparmor-profiles filename_in_binary_package: etc/apparmor.d/usr.bin.smbd mode: complain => Ubuntu doesn't need placeholders anymore :) * merging e.g. from 2.9 into debian/jessie, to look for bugfixes we might want to push as a stable update? debian/jessie-updates?