Draft: WIP: Add functional AppArmor profile for MariaDB 11.8

Otto Kekäläinenrequested to merge
otto/mariadb-server:feature/apparmor-profile into debian/latest

Closes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=875890

Replace the intentionally empty profile with a working one adapted from MySQL 8.0 and 8.4 examples in Ubuntu.

Key adaptations:

  • Change profile name to /usr/sbin/mariadbd to match MariaDB's binary
  • Keep /usr/sbin/mysqld rule for compatibility with legacy scripts
  • Update local include path to usr.sbin.mariadbd for site-specific overrides
  • Use 'mariadb' in path names and plenty of wildcards to match common variations

Also update packaging:

  • Add dh-apparmor to Build-Depends for proper debhelper integration
  • Reload the AppArmor profile early in postinst before starting mariadbd
  • Use dh_apparmor debhelper instead of manual profile installation

The early reload ensures the updated profile is active before the daemon attempts to access new paths, preventing upgrade failures. The dh_apparmor helper properly manages profile installation, updates, and local overrides.

TODO

  1. Fix the ERROR: Operation {'runbindable'} cannot have a source. Source = AARE('/') error so profile can be activated.
  2. Test extensively. Perhaps even run full mtr --big-test while confinded to see if anything is triggered.
Edited by Otto Kekäläinen

Merge request reports