Use dh_apparmor for installing profile

dh_apparmor generates the appropriate postinst and postrm snippets for (re)loading apparmor profiles in a way that seems more robust than our current usage of `aa-enforce`. If apparmor isn't enabled, then it gracefully skips instead of aborting the installation. This allows for installing the client package in contexts where apparmor isn't available, like containers. Fixes #1853.
freedomofpress · Feb 21, 2024 · 1262013 · 1262013
1 parent 5f76f10
commit 1262013
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 3 deletions.
diff --git a/debian/control b/debian/control
@@ -2,14 +2,14 @@ Source: securedrop-client
 Section: unknown
 Priority: optional
 Maintainer: SecureDrop Team <[email protected]>
-Build-Depends: debhelper-compat (= 11), python3-virtualenv
+Build-Depends: debhelper-compat (= 11), dh-apparmor, python3-virtualenv
 Standards-Version: 3.9.8
 Homepage: https://github.com/freedomofpress/securedrop-client
 X-Python3-Version: >= 3.5
 
 Package: securedrop-client
 Architecture: all
-Depends: ${python3:Depends},${misc:Depends}, python3-pyqt5, python3-pyqt5.qtsvg, apparmor-utils
+Depends: ${python3:Depends},${misc:Depends}, python3-pyqt5, python3-pyqt5.qtsvg
 Description: securedrop client for qubes workstation
 
 Package: securedrop-export

diff --git a/debian/rules b/debian/rules
@@ -9,6 +9,7 @@ override_dh_auto_install:
  bash ./debian/setup-venv.sh log
  bash ./debian/setup-venv.sh proxy
  dh_auto_install
+ dh_apparmor --profile-name=usr.bin.securedrop-client -psecuredrop-client
 
 override_dh_strip_nondeterminism:
  find ./debian/ -type f -name '*.pyc' -delete

diff --git a/debian/securedrop-client.postinst b/debian/securedrop-client.postinst
@@ -22,7 +22,6 @@ case "$1" in
  configure)
 
  update-desktop-database /usr/share/applications
- aa-enforce /usr/bin/securedrop-client
  ;;
 
  abort-upgrade|abort-remove|abort-deconfigure)