Add functional AppArmor profile for MariaDB 11.8

Otto Kekäläinenrequested to merge
otto/mariadb-server:feature/apparmor-profile into debian/latest

Closes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=875890

Replace the intentionally empty profile with a working one adapted from MySQL 8.0 and 8.4 examples in Ubuntu.

Key adaptations:

  • Change profile name to mariadbd to match MariaDB's binary
  • Keep /usr/sbin/mysqld rule for compatibility with legacy scripts
  • Update local include path to local/mariadbd for site-specific overrides
  • Use 'mariadb' in path names and plenty of wildcards to match common variations

Also update packaging:

  • Add dh-apparmor to Build-Depends for proper debhelper integration
  • Reload the AppArmor profile early in postinst before starting mariadbd
  • Use dh_apparmor debhelper instead of manual profile installation

The early reload ensures the updated profile is active before the daemon attempts to access new paths, preventing upgrade failures. The dh_apparmor helper properly manages profile installation, updates, and local overrides.

Edited by Otto Kekäläinen

Merge request reports