How to contribute to the AppArmor upstream profiles

If you want to contribute to existing/upstream AppArmor profiles, you need to create an account on Canonical’s launchpad and to upload a SSH key to be able to push your changes. You will also need to install Canonical’s version control system, called Bazaar:

apt-get install bzr

Go to or create a repository where you want to checkout the modifications:

mkdir apparmor-dev
cd apparmor-dev
bzr branch lp:apparmor-profiles master
ls master

Define your identity like this:

bzr whoami "My Name <>"

Bazaar does not handle branches like Git does, unfortunately. It is a little bit weird in first place that you will need to create a directory where you would create a copy of the master branch. You would then work on this branch and later ask for a merge into the master branch.

mkdir myname
bzr branch master myname/pidgin
ls myname/pidgin

Then, start modifying the profiles using a text editor and test them. Testing is done through dis/enabling the profile.
Once done, you can commit and push the changes to your distant repository:

bzr ci
bzr push

Then, you need to connect to Launchpad’s web interface. Go to your page, and look for the branch you just pushed. Click on “change branch details” and link the branch to apparmor-profiles. Then you will be able to request a merge through the webinterface.

Note that upstream AppArmor profiles also live in other repositories.


How does my AppArmor profile get into Debian?

I have spent the last days trying to understand the relationship between AppArmor, the AppArmor profiles and Debian’s AppArmor profiles. Let me try to briefly introduce you to this.

First of all, let me emphasize that one needs to distinguish between AppArmor, the kernel module, the AppArmor userspace tools and the AppArmor profiles, which define rules for application confinement. As stated on the project’s wiki:

The AppArmor project source is split between the kernel module, available in the Linux kernel and git development tree and the user space tools available in launchpad.

So, we can find the upstream AppArmor profile development taking place at Canonical’s launchpad.  The profiles which are developed there serve as a basis for some of those included in Debian. It is thus useful to try to contribute to this upstream when updating a profile for Debian.

The AppArmor userspace tools are shipped in the apparmor and apparmor-utils Debian packages, and are all built from the apparmor source package.

Since AppArmor 2.9 has been introduced, the rules of a profile which are not supported by the AppArmor parser  and running kernel are ignored. (The AppArmor 2.8.x parser would fail to load a profile that has e.g. mount or signal rules, unless the kernel had out-of-tree patches applied to support them.)
Thus, collaboration between different Linux distributions shipping AppArmor will become much simpler.

In the aforementioned Launchpad repository you can find the profiles that are currently in development. For Ubuntu, once tested and ready, they are removed from this repository and finally included into the corresponding package. For example, the profile for Evince, the GNOME PDF viewer, is available in the evince package.

In Debian however, there are only some packages which ship their own profiles. This concerns for example bind, clamav, cups, tor. But many profiles are not – yet – included with their package, and are instead delivered through the apparmor-profiles and apparmor-profiles-extra packages. These are maintained by the the Debian AppArmor packaging team. The team takes care of merging changes from the upstream profiles into Debian, and vice-versa.

Today, the relationship between Upstream and Debian looks like this:


Debian source package

Debian binary package

Ubuntu source package

Ubuntu binary package



apparmor and apparmor-profiles

















In the future, this should change. It would indeed be desirable that Debian package maintainers include profiles with the packages they maintain and take care of updating them accordingly when the package itself is updated. It is much more logical to do it that way, as changes in a package like Pidgin or Evince can occur at a different point in time than when the apparmor-profiles-extra package is updated. Furthermore, it’s the package maintainer who is the most knowledgeable to actually test a program that is being confined by an AppArmor profile.

I started working on a documentation for Debian Package Maintainers which describes how to ship, test and debug an AppArmor profile with your package. This documentation will receive many updates during the next months.



debian logoI have been accepted to participate in Round 9 of the GNOME Outreach Program. During the next 12 weeks, I will work on AppArmor in Debian with Holger Levsen and intrigeri as mentors.

The Outreach Program

I first heard about the Outreach Program first through the Debian Women mailing list several months ago and decided back then that I would apply for the next round if Debian is part of it.

Over at Debian, the application process was open and happened through the Debian Wiki. Thus, all applicants were able to see the other applications. This was quite interesting, though very intimidating for me. The other applicants all looked like very strong candidates! The two other women who will work for Debian during this round are Jinjie Jiang (Debsources) and Virginia King (improving documentation of the Debian bug tracking system).

I am very happy to be able to participate in this program, as I am not a student anymore, and thus not able to participate in GSoC or similar programs. As a freelance worker who needs to pay rent, I need the help offered by the Outreach Program in order to be able to spend a reasonable amount of time on Free Software, in this case  on AppArmor in Debian.


AppArmor is a Linux Security Module which makes it possible to confine applications. This happens through profiles which are specifically written to restrain the application’s access to parts of the file system, and by specifically allowing access to other parts.

It is not yet widely deployed in Debian, although it has been around for quite some time and is shipped by default in Ubuntu and OpenSuse. During the internship, I shall set up documentation in order to make it easier for Debian Developers to adopt AppArmor and will also try to work out a means which makes it easier for an average user to install and activate the AppArmor package in Debian.

Looking forward!

Next steps

Read more →