Commit 13722c56 authored by intrigeri's avatar intrigeri
Browse files

Pin the AppArmor feature set to the Stretch's kernel one.

Linux 4.14 brings new AppArmor mediation features and the policy shipped in
Stretch may not be ready for it. So let's disable these new features to avoid
breaking stuff: it's too hard to check if all the policy for apps we ship (and
that users install themselves) has the right rules to cope with these new
mediation features.

This feature set file will be:

 - either removed: once we install an apparmor package that ships its own,
   maintained elsewhere, feature set (probably via Debian#879585);

 - or upgraded: to the Buster kernel's, when we move to Buster, iff.
   Debian does not ship any pinned feature set then (refs: #15149).

This commit ports to our build system the changes that are in Buster/sid
currently, except we include the Stretch's kernel feature set while Buster/sid
is pinned to Linux 4.14's feature set (the policy in Buster/sid was updated to
support it). This is exactly what will likely land in the next Debian Stretch
point release. I'm using a different filename from the one used on Debian, in
order to make it easier to compare the "upstream" (Debian) file with ours.
And while I'm at it I'm adding a build-time sanity check that will warn us if
there's some maintenance work to do on our side.
parent 9cf42c44
#! /bin/sh
set -e
set -u
set -x
echo "Checking if we should stop shipping our own AppArmor feature set"
if [ -f /usr/share/apparmor-features/features ]; then
if cmp -q /usr/share/apparmor-features/features.Tails \
/usr/share/apparmor-features/features; then
echo "Debian ships the same AppArmor feature set as ours. " \
"Likely we can now remove our own one." >&2
echo "Debian ships a different AppArmor feature set from ours. " \
"Likely our own one is outdated and can be removed:" >&2
diff -Naur \
/usr/share/apparmor-features/features.Tails \
/usr/share/apparmor-features/features \
# In any case, we probably have to do something about it.
exit 1
caps {mask {chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read
rlimit {mask {cpu fsize data stack core rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime
capability {0xffffff
file {mask {create read write exec append mmap_exec link lock
domain {change_profile {yes
change_onexec {yes
change_hatv {yes
change_hat {yes
policy {set_load {yes
Description: pin the AppArmor feature set to the Stretch's kernel one
Let's smooth UX on kernel upgrades and allow ourselves to update the AppArmor
policy in a relaxed manner.
Forwarded: not-needed
Author: intrigeri <>
--- a/etc/apparmor/parser.conf
+++ b/etc/apparmor/parser.conf
@@ -60,3 +60,7 @@
## Adjust compression
+## Pin feature set (avoid regressions when policy is lagging behind
+## the kernel)
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment