Low-hanging or important AppArmor profiles

Registered by Kees Cook on 2009-04-28

Discuss and identify easy or important AppArmor profiles that either do not exist yet or are not yet enabled by default.

Blueprint information

Status:
Complete
Approver:
Rick Clark
Priority:
Low
Drafter:
Jamie Strandboge
Direction:
Needs approval
Assignee:
None
Definition:
Approved
Series goal:
None
Implementation:
Informational Informational
Milestone target:
None
Started by
Jamie Strandboge on 2011-10-25
Completed by
Jamie Strandboge on 2011-10-25

Whiteboard

I. Introduction
  A. current profiles (https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles)
  B. apparmor-profiles vs package-shipped profiles
     - apparmor-profiles contain various applications (ntpd, syslogd, etc.)
     - aren't hugely maintained, some are known broken
     - in complain mode by default waiting for a feedback to be enforced

II. Sources
  A. apparmor/profiles-devel
   * https://code.launchpad.net/~ubuntu-core-dev/apparmor/profiles-devel
  B. apparmor-profiles
    1. who is using them?
    2. how useful are they?
  C. others (coummunity, Novell?)
   * http://apparmor.opensuse.org/

III. Potential targets (what we would like to be covered)
  * ntpd (P1)
  * squid (P3, possibly P2 (talk to elmo))
  * nmbd (P2)
  * winbind (P2)
  * postgresql (P1 (talk to pitti))
  * spamassassin (spamd) (P2)
  * awstats (P3?)
  * analog (P3?)
  * mailman (P3)
  * in universe
   * asterisk (P3?)
  * tomcat (a third party changehat plugin is rumored to exist) (P1)
  * apache (in another session :P) (P1)
  * portmap (low-effort?)
  * rpc.statd (low-effort?)
  * exim4 (P3)
  * nagios/nrpe (P3)
  * munin
  * dnsmasq (P3 possibly P2 due to libvirt (talk to soren))
  * scripts that people tend to give sudo access to: ex.: apache2ctl, /etc/init.d/* (mysql?)
  * openssh-server (not easy, as users can spawn anything) (P2?)
  * libvirt (requires writing svirt plugin) (P1)
  * Client side:
   * pidgin (P3)
   * mail clients (thunderbird, kmail, evolution) (P3)
   * eog (P3)
   * totem (P3)
   * evince (in progress in bzr tree)
   * skype, ekiga (P3)
   * acroread (P2)
   * rhythmbox (P3)

IV. identify most important/needed profiles to help prioritize their implementation

Misc:
AppArmorProfileMigration Page in the wiki

(?)

Work Items