From 532676b4214e833450748c4c134869f9bcaf6b3b Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 27 Apr 2025 14:33:44 +0200
Subject: [PATCH] build: improve documentation about overwriten profiles.

Make it clear why a given profile is overwriten from upstream.
---
 dists/overwrite | 26 +++++++++++++++++---------
 1 file changed, 17 insertions(+), 9 deletions(-)

diff --git a/dists/overwrite b/dists/overwrite
index 1464f03ff..5bc00f9fe 100644
--- a/dists/overwrite
+++ b/dists/overwrite
@@ -1,8 +1,8 @@
-# Apparmor 4.0 ships several profiles that allow userns and are otherwise
-# unconfined. This file keeps track of them and allow apparmor.d to replace
-# them by our own.
+# Apparmor 4.0 and over ships a few profiles that can conflict with apparmor.d
+# This file keeps track of them and allow apparmor.d to replace them by our own.
 # File format: one profile name by line.
 
+# Overwrite unconfined upstream profiles that only allow userns
 brave
 chrome
 chromium
@@ -12,22 +12,30 @@ firefox
 flatpak
 foliate
 loupe
-lsblk
-lsusb
 msedge
 mullvad
 nautilus
-openvpn
 opera
 os-prober
 plasmashell
-remmina
 signal-desktop
 slirp4netns
 steam
 systemd-coredump
 thunderbird
-transmission
-unix-chkpwd
 virtiofsd
+
+# Overwrite upstreamed profiles, our local version may be more up to date
+unix-chkpwd
+
+# Overwrite some profiles recently added in apparmor while being already present in apparmor.d for a while
+# They can be multiple justification for keeping our profiles here, or or the contrary using upstream ones:
+# - Keep ours: If they use abstractions, tunable, rules, and integration with apparmor.d that would break if using the upstream profile
+# - Drop ours: when upstream profiles is better
+fusermount3
+lsblk
+lsusb
+openvpn
+remmina
+transmission
 wg-quick