implement 'local/' mechanism to aid in packaging:

- create profiles/apparmor.d/local/README to explain it all
- adjust shipped profiles in profiles/apparmor.d to include the local changes
- adjust profiles/Makefile for local files

profiles/Makefile

@@ -1,8 +1,7 @@
 # ------------------------------------------------------------------
 #
-#    $Id$
+#    Copyright (C) 2002-2009 Novell/SUSE
-#
+#    Copyright (C) 2010 Canonical Ltd.
-#    Copyright (C) 2002-2006 Novell/SUSE
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -18,7 +17,7 @@
 #
 # ------------------------------------------------------------------
 
-# Makefile for LSM-based AppArmor SuSE profiles
+# Makefile for LSM-based AppArmor profiles
 
 NAME=apparmor-profiles
 ALL:
@@ -37,18 +36,25 @@ PROFILES_DEST=${DESTDIR}/etc/apparmor.d
 EXTRAS_DEST=${DESTDIR}/etc/apparmor/profiles/extras/
 PROFILES_SOURCE=./apparmor.d
 EXTRAS_SOURCE=./apparmor/profiles/extras/
-SUBDIRS_MUST_BE_SKIPPED=${PROFILES_SOURCE}/abstractions ${PROFILES_SOURCE}/apache2.d ${PROFILES_SOURCE}/program-chunks ${PROFILES_SOURCE}/tunables
+SUBDIRS_MUST_BE_SKIPPED=${PROFILES_SOURCE}/abstractions ${PROFILES_SOURCE}/apache2.d ${PROFILES_SOURCE}/program-chunks ${PROFILES_SOURCE}/tunables ${PROFILES_SOURCE}/local
 PROFILES_TO_COPY=$(filter-out ${SUBDIRS_MUST_BE_SKIPPED}, $(wildcard ${PROFILES_SOURCE}/*))
 TUNABLES_TO_COPY=$(filter-out ${PROFILES_SOURCE}/tunables/home.d, $(wildcard ${PROFILES_SOURCE}/tunables/*))
 
+local:
+	for profile in ${PROFILES_TO_COPY}; do \
+		fn=$$(basename $$profile); \
+		echo "# Site-specific additions and overrides for '$$fn'" > ${PROFILES_SOURCE}/local/$$fn; \
+	done; \
+
 .PHONY: install
-install: 
+install: local
 	install -m 755 -d ${PROFILES_DEST}
 	install -m 755 -d ${PROFILES_DEST}/abstractions \
                           ${PROFILES_DEST}/apache2.d \
                           ${PROFILES_DEST}/program-chunks \
                           ${PROFILES_DEST}/tunables \
-                          ${PROFILES_DEST}/tunables/home.d
+                          ${PROFILES_DEST}/tunables/home.d \
+                          ${PROFILES_DEST}/local
 	install -m 644 ${PROFILES_TO_COPY} ${PROFILES_DEST}
 	install -m 644 ${PROFILES_SOURCE}/abstractions/* ${PROFILES_DEST}/abstractions
 	install -m 644 ${PROFILES_SOURCE}/apache2.d/* ${PROFILES_DEST}/apache2.d
@@ -57,10 +63,11 @@ install:
 	install -m 644 ${PROFILES_SOURCE}/tunables/home.d/* ${PROFILES_DEST}/tunables/home.d
 	install -m 755 -d ${EXTRAS_DEST}
 	install -m 644 ${EXTRAS_SOURCE}/* ${EXTRAS_DEST}
+	install -m 644 ${PROFILES_SOURCE}/local/* ${PROFILES_DEST}/local
 
 .PHONY: clean
 clean:
-	-rm -f $(NAME)-$(VERSION)*.tar.gz Make.rules
+	-rm -f $(NAME)-$(VERSION)*.tar.gz Make.rules ${PROFILES_SOURCE}/local/[a-z]*
 
 ifndef VERBOSE
   Q=@

profiles/apparmor.d/bin.ping

@@ -1,8 +1,7 @@
-# Last Modified: Thu Aug  2 14:28:48 2007
-# $Id$
 # ------------------------------------------------------------------
 #
-#    Copyright (C) 2002-2005 Novell/SUSE
+#    Copyright (C) 2002-2009 Novell/SUSE
+#    Copyright (C) 2010 Canonical Ltd.
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -22,4 +21,7 @@
 
   /bin/ping mixr,
   /etc/modules.conf r,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/bin.ping>
 }

profiles/apparmor.d/local/README

@@ -0,0 +1,17 @@
+This directory is intended to contain profile additions and overrides for
+inclusion by distributed profiles to aid in packaging AppArmor for
+distributions. While the shipped profiles in /etc/apparmor.d can still be
+modified by an administrator, adjusting them here ensures that the package
+manager of the distribution won't interfere with local modifications.
+
+For example, if the shipped /etc/apparmor.d/usr.sbin.smbd profile has:
+#include <local/usr.sbin.smbd>
+
+then an administrator can adjust /etc/apparmor.d/local/usr.sbin.smbd to
+contain any additional paths to be allowed, such as:
+
+  /var/exports/** lrw,
+
+Keep in mind that 'deny' rules are evaluated after allow rules, so you won't be
+able to allow access to files that are explicitly denied by the shipped profile
+using this mechanism.

profiles/apparmor.d/sbin.klogd

@@ -1,7 +1,7 @@
-# $Id$
 # ------------------------------------------------------------------
 #
-#    Copyright (C) 2002-2005 Novell/SUSE
+#    Copyright (C) 2002-2009 Novell/SUSE
+#    Copyright (C) 2010 Canonical Ltd.
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -29,4 +29,6 @@
   /var/run/klogd/klogd.pid krwl,
   /var/run/klogd/kmsg   r,
 
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/sbin.klogd>
 }

profiles/apparmor.d/sbin.syslog-ng

@@ -1,8 +1,8 @@
-# $Id$
 # ------------------------------------------------------------------
 #
-#    Copyright (C) 2006 Novell/SUSE
+#    Copyright (C) 2006-2009 Novell/SUSE
 #    Copyright (C) 2006 Christian Boltz
+#    Copyright (C) 2010 Canonical Ltd.
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -41,5 +41,6 @@
   @{CHROOT_BASE}/var/log/** w,
   @{CHROOT_BASE}/var/run/syslog-ng.pid krw,
 
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/sbin.syslog-ng>
 }
-

profiles/apparmor.d/sbin.syslogd

@@ -1,7 +1,7 @@
-# $Id$
 # ------------------------------------------------------------------
 #
-#    Copyright (C) 2002-2005 Novell/SUSE
+#    Copyright (C) 2002-2009 Novell/SUSE
+#    Copyright (C) 2010 Canonical Ltd.
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -33,4 +33,7 @@
   /var/run/syslogd.pid          krwl,
   /var/run/utmp                 rw,
   /var/spool/compaq/nic/messages_fifo rw,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/sbin.syslogd>
 }

profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2

@@ -1,10 +1,9 @@
-# Last Modified: Wed Sep 16 11:58:00 2009
 # Author: Marc Deslauriers <marc.deslauriers@ubuntu.com>
-#include <tunables/global>
 
+#include <tunables/global>
 /usr/lib/apache2/mpm-prefork/apache2 {
 
-  # This is profile is completely permissive.
+  # This profile is completely permissive.
   # It is designed to target specific applications using mod_apparmor,
   # hats, and the apache2.d directory.
   #
@@ -75,4 +74,6 @@
 
   #include <apache2.d>
 
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.lib.apache2.mpm-prefork.apache2>
 }

profiles/apparmor.d/usr.lib.dovecot.deliver

@@ -1,5 +1,5 @@
-# Last Modified: Wed Jun 10 00:20:56 2009
 # Author: Dulmandakh Sukhbaatar <dulmandakh@gmail.com>
+
 #include <tunables/global>
 /usr/lib/dovecot/deliver {
   #include <abstractions/base>
@@ -17,4 +17,7 @@
   @{HOME}/mail/.imap/** klrw,
   /usr/lib/dovecot/deliver mr,
   /var/mail/* klrw,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.lib.dovecot.deliver>
 }

profiles/apparmor.d/usr.lib.dovecot.dovecot-auth

@@ -1,5 +1,5 @@
-# Last Modified: Fri Oct 10 17:19:26 2008
 # Author: Kees Cook <kees@ubuntu.com>
+
 #include <tunables/global>
 /usr/lib/dovecot/dovecot-auth {
   #include <abstractions/authentication>
@@ -17,4 +17,7 @@
   /var/run/dovecot/** rw,
   # required for postfix+dovecot integration
   /var/spool/postfix/private/dovecot-auth w,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.lib.dovecot.dovecot-auth>
 }

profiles/apparmor.d/usr.lib.dovecot.imap

@@ -1,5 +1,5 @@
-# Last Modified: Sat Oct 11 09:17:38 2008
 # Author: Kees Cook <kees@ubuntu.com>
+
 #include <tunables/global>
 /usr/lib/dovecot/imap {
   #include <abstractions/base>
@@ -16,4 +16,7 @@
   @{HOME}/mail/.imap/** klrw,
   /usr/lib/dovecot/imap mr,
   /var/mail/* klrw,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.lib.dovecot.imap>
 }

profiles/apparmor.d/usr.lib.dovecot.imap-login

@@ -1,5 +1,5 @@
-# Last Modified: Wed Oct  8 00:20:56 2008
 # Author: Kees Cook <kees@ubuntu.com>
+
 #include <tunables/global>
 /usr/lib/dovecot/imap-login {
   #include <abstractions/base>
@@ -15,4 +15,7 @@
   /usr/lib/dovecot/imap-login mr,
   /var/run/dovecot/login/ r,
   /var/run/dovecot/login/* rw,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.lib.dovecot.imap-login>
 }

profiles/apparmor.d/usr.lib.dovecot.managesieve-login

@@ -1,5 +1,5 @@
-# Last Modified: Wed Jun 10 00:20:56 2009
 # Author: Dulmandakh Sukhbaatar <dulmandakh@gmail.com>
+
 #include <tunables/global>
 /usr/lib/dovecot/managesieve-login {
   #include <abstractions/base>
@@ -15,4 +15,7 @@
   /usr/lib/dovecot/managesieve-login mr,
   /var/run/dovecot/login/ r,
   /var/run/dovecot/login/* rw,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.lib.dovecot.managesieve-login>
 }

profiles/apparmor.d/usr.lib.dovecot.pop3

@@ -1,5 +1,5 @@
-# Last Modified: Wed Oct  8 00:21:56 2008
 # Author: Kees Cook <kees@ubuntu.com>
+
 #include <tunables/global>
 /usr/lib/dovecot/pop3 {
   #include <abstractions/base>
@@ -15,4 +15,7 @@
   @{HOME}/Maildir/ rw,
   @{HOME}/Maildir/** klrw,
   /usr/lib/dovecot/pop3 mr,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.lib.dovecot.pop3>
 }

profiles/apparmor.d/usr.lib.dovecot.pop3-login

@@ -1,5 +1,5 @@
-# Last Modified: Wed Oct  8 00:20:57 2008
 # Author: Kees Cook <kees@ubuntu.com>
+
 #include <tunables/global>
 /usr/lib/dovecot/pop3-login {
   #include <abstractions/base>
@@ -14,4 +14,7 @@
   /usr/lib/dovecot/pop3-login mr,
   /var/run/dovecot/login/ r,
   /var/run/dovecot/login/* rw,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.lib.dovecot.pop3-login>
 }

profiles/apparmor.d/usr.sbin.avahi-daemon

@@ -1,4 +1,3 @@
-# Last Modified: Wed Aug 15 10:55:46 2007
 #include <tunables/global>
 /usr/sbin/avahi-daemon {
   #include <abstractions/base>
@@ -24,4 +23,7 @@
   /var/run/avahi-daemon/pid krw,
   /var/run/avahi-daemon/socket w,
   /var/run/dbus/system_bus_socket w,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.sbin.avahi-daemon>
 }

profiles/apparmor.d/usr.sbin.dnsmasq

@@ -1,4 +1,5 @@
 # Author: John Dong <jdong@ubuntu.com>
+
 #include <tunables/global>
 /usr/sbin/dnsmasq {
   #include <abstractions/base>
@@ -20,4 +21,7 @@
   /var/run/dnsmasq/* rw,
 
   /var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.sbin.dnsmasq>
 }

profiles/apparmor.d/usr.sbin.dovecot

@@ -1,5 +1,5 @@
-# Last Modified: Fri Oct 10 17:20:34 2008
 # Author: Kees Cook <kees@ubuntu.com>
+
 #include <tunables/global>
 /usr/sbin/dovecot {
   #include <abstractions/authentication>
@@ -30,4 +30,7 @@
   /var/lib/dovecot/* krw,
   /var/run/dovecot/ rw,
   /var/run/dovecot/** rw,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.sbin.dovecot>
 }

profiles/apparmor.d/usr.sbin.identd

@@ -1,7 +1,7 @@
-# $Id$
 # ------------------------------------------------------------------
 #
-#    Copyright (C) 2002-2005 Novell/SUSE
+#    Copyright (C) 2002-2009 Novell/SUSE
+#    Copyright (C) 2010 Canonical Ltd.
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -24,4 +24,7 @@
   @{PROC}/net/tcp          r,
   @{PROC}/net/tcp6         r,
   /var/run/identd.pid      w,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.sbin.identd>
 }

profiles/apparmor.d/usr.sbin.mdnsd

@@ -1,8 +1,7 @@
-# $Id$
-# vim:syntax=apparmor
 # ------------------------------------------------------------------
 #
-#    Copyright (C) 2002-2005 Novell/SUSE
+#    Copyright (C) 2002-2009 Novell/SUSE
+#    Copyright (C) 2010 Canonical Ltd.
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -29,4 +28,7 @@
   @{PROC}/net/unix r,
   /var/run/mdnsd lw,
   /var/run/mdnsd.pid w,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.sbin.mdnsd>
 }

profiles/apparmor.d/usr.sbin.nmbd

@@ -1,5 +1,3 @@
-# vim:syntax=apparmor
-# Last Modified: Wed Jun 20 13:22:50 2007
 #include <tunables/global>
 
 /usr/sbin/nmbd {
@@ -16,4 +14,7 @@
   /var/run/samba/nmbd.pid rw,
   /var/log/samba/cores/nmbd/ rw,
   /var/log/samba/cores/nmbd/** rw,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.sbin.nmbd>
 }

profiles/apparmor.d/usr.sbin.nscd

@@ -1,8 +1,7 @@
-# $Id#
 # ------------------------------------------------------------------
 #
 #    Copyright (C) 2002-2005 Novell/SUSE
-#    Copyright (C) 2009 Canonical Ltd.
+#    Copyright (C) 2009-2010 Canonical Ltd.
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -40,4 +39,7 @@
   @{PROC}/[0-9]*/maps r,
   @{PROC}/[0-9]*/mounts r,
   @{PROC}/filesystems r,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.sbin.nscd>
 }

profiles/apparmor.d/usr.sbin.ntpd

@@ -1,8 +1,7 @@
-# Last Modified: Thu Aug  2 14:37:03 2007
-# $Id$
 # ------------------------------------------------------------------
 #
-#    Copyright (C) 2002-2005 Novell/SUSE
+#    Copyright (C) 2002-2009 Novell/SUSE
+#    Copyright (C) 2010 Canonical Ltd.
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -64,6 +63,9 @@
   # allow access for when chrooted
   /var/lib/ntp/@{PROC}/*/net/if_inet6 r,
   /var/lib/ntp/@{PROC}/*/sys/kernel/ngroups_max r,
- 
+
   @{NTPD_DEVICE} rw,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.sbin.ntpd>
 }

profiles/apparmor.d/usr.sbin.smbd

@@ -1,5 +1,3 @@
-# vim:syntax=apparmor
-# Last Modified: Wed Jun 20 13:34:25 2007
 #include <tunables/global>
 
 /usr/sbin/smbd {
@@ -35,4 +33,7 @@
   /var/spool/samba/** rw,
 
   @{HOMEDIRS}/** lrw,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.sbin.smbd>
 }

profiles/apparmor.d/usr.sbin.traceroute

@@ -1,8 +1,7 @@
-# Last Modified: Thu Aug  2 13:33:43 2007
-# $Id$
 # ------------------------------------------------------------------
 #
-#    Copyright (C) 2002-2005 Novell/SUSE
+#    Copyright (C) 2002-2009 Novell/SUSE
+#    Copyright (C) 2010 Canonical Ltd.
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -20,4 +19,7 @@
 
   /usr/sbin/traceroute rmix,
   @{PROC}/net/route r,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.sbin.traceroute>
 }