Thanks for your work on this Clint; it is much appreciated.
I'd prefer not to adjust the profile for the test suite. @{HOME} in an AppArmor profile does not expand to the process' uid's HOME, but the value of the @{HOME} variable as set in /etc/apparmor.d/tunables/home. As such, this expands to:
owner /home/you/tmp/...
owner /home/me/tmp/...
owner /home/her/tmp/...
...
While with 'owner' match, it should generally be ok since /home/you/tmp shouldn't be owned by the mysql user, it does open an avenue of attack for people running mysqld as themselves and is IMHO unnecessary.
As for documenting, the best course IMO is patch /usr/lib/mysql-test/mysql-test-run.pl itself to first do a quick test to see if --vardir is writable, and if not, give a helpful message about AppArmor possibly blocking it, suggest to use --vardir=/var/tmp/mysql instead, and exit with error.
We should of course also adjust the test script in lp:qa-regression-testing to use --vardir=/var/tmp/mysql, since it is now using the testsuite.
Thanks for your work on this Clint; it is much appreciated.
I'd prefer not to adjust the profile for the test suite. @{HOME} in an AppArmor profile does not expand to the process' uid's HOME, but the value of the @{HOME} variable as set in /etc/apparmor. d/tunables/ home. As such, this expands to:
owner /home/you/tmp/...
owner /home/me/tmp/...
owner /home/her/tmp/...
...
While with 'owner' match, it should generally be ok since /home/you/tmp shouldn't be owned by the mysql user, it does open an avenue of attack for people running mysqld as themselves and is IMHO unnecessary.
As for documenting, the best course IMO is patch /usr/lib/ mysql-test/ mysql-test- run.pl itself to first do a quick test to see if --vardir is writable, and if not, give a helpful message about AppArmor possibly blocking it, suggest to use --vardir= /var/tmp/ mysql instead, and exit with error.
We should of course also adjust the test script in lp:qa-regression-testing to use --vardir= /var/tmp/ mysql, since it is now using the testsuite.