Improve AppArmor usability in Ubuntu

Registered by Jamie Strandboge on 2009-11-09

AppArmor usability can be improved in Ubuntu, especially when considering profiles shipped in the default installation (eg cups, evince, firefox-3.5). Discuss methods to improve this, in particular:
 * dealing with tunables and likewise-open
 * reporting messages
 * userspace tools
 * profile creation
 * documentation

Blueprint information

Status:
Complete
Approver:
Robbie Williamson
Priority:
High
Drafter:
Jamie Strandboge
Direction:
Approved
Assignee:
Jamie Strandboge
Definition:
Approved
Series goal:
Accepted for lucid
Implementation:
Implemented
Milestone target:
None
Started by
Jamie Strandboge on 2010-01-11
Completed by
Jamie Strandboge on 2011-02-10

Related branches

Sprints

Whiteboard

Feedback jdstrand 2009-11-30: @{HOME} and likewise-open in https://blueprints.launchpad.net/ubuntu/+spec/security-lucid-apparmor-tunables

Work items:
make user-space aware of tunables: POSTPONED
hook up apparmor to apport when alert messages appear: POSTPONED
modify user tools to get logs directly from the kernel: POSTPONED
update tools for directory load of tunables: POSTPONED
update tools for alias support (/usr): POSTPONED
add aa-decode and manpage: DONE
user-space notifications during dev cycle: DONE

Gobby notes:
Improve AppArmor usability in Ubuntu

- Profiles that are being shipped
- Tunables
  - @HOME
    - address with packaging vs. automatic vs. documentation and notification
  - /usr (maybe as an alias)
- Notification
- User space tools

= Dealing with tunables =

Karmic is the first release that shipped a GUI application with a profile in enforcing mode. A problem turned up when users had a home directory that was not in the standard location. Likewise open puts the home directory in another location also.

Parser uses tunables, user space tools don't.

Two problem scenarios: People who upgrade with a non-standard home directory, and people who create users with non-standard home directories

If using automatic mode to resolve HOME tunable:
 - hook via upgrades, user-add, package install, explicitly flagged
 - pam module could compare home dir to tunable?
   - throw up warning, set error
 - parse output of /etc/passwd (not getent to avoid giant nss databases)
   - use gdm's method for identifying non-system users
 - Have a debconf preseedable setting of the ${HOMEDIRS} tunable

Tools
- update for tunables
- update for directory load
- alias support in tools (/usr)

= Notifications =
 - low-detail for desktop users and rate-limited
 - tracks apport enablement (like kernel oops)
 - logwatch plugin
 - munin plugin
 - maybe use update-notifier, which has desktop and server hooks already?

== Profile updates ==
- editing profiles causes packaging conflicts
- Include directories
- Should modify mysql config file to add an apparmor warning - i wouldn't say that's needed since then we should do that for any other change in mysql (if you change datadir, you need to move bla bla bla)

== user space tools ==
- It would be nice if the user space tools could capture logs directly from the kernel instead of having apparmor log the regular way
- User tools to suggest new abstractions

(?)

Work Items