apparmor depends on python3

Bug #1865519 reported by Sergio Schvezov on 2020-03-02
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
Undecided
Unassigned
snapd
Wishlist
Unassigned
apparmor (Ubuntu)
Undecided
Unassigned
snapd (Ubuntu)
Undecided
Unassigned

Bug Description

The TL;DR;
- AppArmor depends on python3 to support aa-status.
- snapd depends on apparmor.
- buildd images have no python
- building snaps requires snapd
- snapd does not require aa-status
- building snaps unnecessarily installs python3 onto the system

Proposal:
- Split runtime requirements from apparmor into apparmor-minimal
- have apparmor depend on apparmor-minimal
- change snapd's dependency on apparmor to apparmor-minimal

Dimitri John Ledkov (xnox) wrote :

Package splits are pain, simply downgrade the python3 Depends to Recommends or Suggests, as appropriate.

Do buildd images install recommends?

Jamie Strandboge (jdstrand) wrote :

We've discussed this in the past and it was determined that 'aa-status' is to be part of every apparmor minimal install (which is why it is in apparmor and all the other python tools are in apparmor-utils) so splitting out of apparmor-minimal doesn't really work with this thinking.

Perhaps moving aa-status to a new 'apparmor-status' package, have it Depends on python3, then have the 'apparmor' package Recommends 'apparmor-status' could be a way to go. snapd should still Depends on apparmor, which would pull in apparmor-status (and it should-- we want aa-status on UC devices, etc).

Alternatively, aa-status could be rewritten in C/C++ (like other parts of apparmor). This is probably the best solution for your problem.

Can you elaborate on the problem this is trying to solve (building snaps unnecessarily installs python3 onto the system-- why specifically is this an issue?)

John Johansen (jjohansen) wrote :

aa-status needs a major update. It doesn't support several things

  - profile stacks
  - newer profile modes
  - additional profile info available in kernel (revision etc)
  - it doesn't deal with namespaces
  - can't identify when userspace and kernel policy are out of sync
  - doesn't take advantage of newer apis when available
  - doesn't work with unprivileged policy

The actual mechanics of aa-status are pretty straight forward. It wouldn't be too hard to rewrite in C and since its part of the required base it should be.

Changed in snapd:
status: New → Triaged
importance: Undecided → Wishlist
Changed in snapd:
status: Triaged → Invalid
Changed in snapd (Ubuntu):
status: New → Invalid
Steve Beattie (sbeattie) wrote :

An initial port of aa-status to C landed in https://gitlab.com/apparmor/apparmor/-/commit/8f9046b1b179190d0003ae1beacf460ee93c5090 and will e in the upcoming AppArmor 3 release. There is a follow up improvement in https://gitlab.com/apparmor/apparmor/-/merge_requests/487 that should also land.

Changed in apparmor (Ubuntu):
status: New → Fix Committed
status: Fix Committed → Confirmed
Changed in apparmor:
status: New → Fix Committed
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers