Emulate dh_apparmor; drop apparmor-utils dependency

aa-enforce is shipped in apparmor-utils, use the underlying `apparmor_parser` command provided by apparmor to enable the two profiles. This simplifies the dependency tree during the noble migration. Switching to dh_apparmor properly (#7413) would be nice but is a bigger task for later.
freedomofpress · Jan 17, 2025 · 29b7c42 · 29b7c42
1 parent 0b6bfdf
commit 29b7c42
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 3 deletions.
diff --git a/securedrop/debian/control b/securedrop/debian/control
@@ -10,7 +10,7 @@ Package: securedrop-app-code
 Architecture: amd64
 Conflicts: libapache2-mod-wsgi, supervisor
 Replaces: libapache2-mod-wsgi, supervisor
-Depends: ${dist:Depends}, ${misc:Depends}, ${python3:Depends}, ${apparmor:Depends}, apache2, apparmor-utils, coreutils, gnupg2, libapache2-mod-xsendfile, paxctld, python3, redis-server, securedrop-config, securedrop-keyring, sqlite3
+Depends: ${dist:Depends}, ${misc:Depends}, ${python3:Depends}, ${apparmor:Depends}, apache2, coreutils, gnupg2, libapache2-mod-xsendfile, paxctld, python3, redis-server, securedrop-config, securedrop-keyring, sqlite3
 Description: SecureDrop application code, dependencies, Apache configuration, systemd services, and AppArmor profiles. This package will put the AppArmor profiles in enforce mode.
 
 Package: securedrop-config

diff --git a/securedrop/debian/securedrop-app-code.postinst b/securedrop/debian/securedrop-app-code.postinst
@@ -284,8 +284,9 @@ case "$1" in
         rm /etc/apparmor.d/disable/usr.sbin.apache2
     fi
 
-    aa-enforce /etc/apparmor.d/usr.sbin.tor
-    aa-enforce /etc/apparmor.d/usr.sbin.apache2
+    # Emulate what dh-apparmor does
+    apparmor_parser -r -T -W /etc/apparmor.d/usr.sbin.tor
+    apparmor_parser -r -T -W /etc/apparmor.d/usr.sbin.apache2
 
     # Munge Apache config while service is stopped.
     adjust_wsgi_configuration