AppArmor Ubuntu packaging and integration

Registered by Kees Cook on 2011-05-02

Discuss where to focus Ubuntu-specific AppArmor packaging and integration efforts.

Blueprint information

Status:
Started
Approver:
Jamie Strandboge
Priority:
Medium
Drafter:
Kees Cook
Direction:
Approved
Assignee:
Steve Beattie
Definition:
Approved
Series goal:
Accepted for oneiric
Implementation:
Started
Milestone target:
milestone icon ubuntu-11.10
Started by
Jamie Strandboge on 2011-05-20

Related branches

Sprints

Whiteboard

Work items:
[micahg] ship disabled chromium profile in package: POSTPONED
[micahg] update firefox profile to restrict plugin-container: POSTPONED
[micahg] update browser abstractions to restrict nspluginviewer more: POSTPONED
[mdeslaur] aa-notify rate limiting/summarizing: POSTPONED
[mdeslaur] wiki page for using the apparmor profiles repository: DONE
[mdeslaur] announce the apparmor profiles repository: DONE
[jdstrand] telepathy/mission-control profile: DONE
[kees] flip rate limiting bit when using aa-genprof: DONE
[sbeattie] does not offer to edit abstractions: POSTPONED
[sbeattie] doesn't suggest to use variable (@{PROC} and @{HOME}): POSTPONED
[mdeslaur] suggesting community profiles: DONE
[sbeattie] named profiles and binary globbing (all tools): POSTPONED
[jdstrand] make sure aa-logprof still works sanely: DONE
[sbeattie] PUx and pux not supported in userspace: POSTPONED
[jjohansen] fix missed transitions in handleChildren(): POSTPONED
[kees] new introspection interfaces in kernel: POSTPONED
[jjohansen] v3 tagging - kernel support: POSTPONED
[jjohansen] v3 tagging - parser support: POSTPONED
[sbeattie] v3 tagging - packaging and tools support to not die/strip: POSTPONED
[kees] AppArmor testing on ARM: DONE
[mdeslaur] adjust packaging to avoid perl on ISO: DONE
[mdeslaur] rewrite aa-status in python: DONE
[jjohansen] extend network mediation beyond socket level, stage 1 (kernel): POSTPONED
[jjohansen] base extended permission support: POSTPONED
[jjohansen] base extended capability support as part of v3 format change: POSTPONED
[sbeattie] parser config control file: POSTPONED
[jjohansen] dfa improvements, parser memory usage (patch pending): POSTPONED
[jjohansen] dfa improvements, kernel vars: POSTPONED
[jjohansen] dfa improvements, reordering of the structure: POSTPONED
[jjohansen] matcher in userspace to support regression tests, unit tests, etc: POSTPONED
[jjohansen] profile rcu patch: POSTPONED
[kees] modularization of LSM discussion started: POSTPONED

Oneiric+1 Work items:
[?] init script updates for new introspection interface
[?] parser updates for new introspection interface
[?] tool updates for new introspection interface
[?] v3 tagging - tools support to suggest v3
[?] AppArmor LXC integration - needs further specification and possibly own blueprint
[?] network stage 1 support (userspace)
[jjohansen] white paper on kernel vars: INPROGRESS
[jjohansen] set load
[jdstrand] totem-audio-preview
[jdstrand] totem-video-thumbnailer
[jdstrand] gnome-thumbnail-font
[jdstrand] gnome/nautilus patch to not fallback to unconfined image previewers when evince-previewer is used
[jdstrand] adjust mimetypes to use evince-previewer as thumbnailer

Ongoing tasks:
[sbeattie] stock up on bourbon: INPROGRESS

From etherpad (http://summit.ubuntu.com/uds-o/meeting/security-o-apparmor-ubuntu/)

Packaging requests...
 - finalize stuff in /extras
 - https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles

AppArmor container support
AppArmor mode 2 seccomp support

For Oneiric:
Userspace tools:
 - O flip rate limiting bit when using aa-genprof
 - O does not offer to edit abstractions
 - O doesn't suggest to use variable (@{PROC} and @{HOME})
 - O suggesting community profiles
 - tool workflow
  - O is aa-logprof still viable? (replacement/rewrite)
 - O named profiles and binary globbing (all tools)
 - O P[Uu]x not supported
 - O some bug jj knows about that is hard to describe (and has fix)
 - Oish (needs breakdown) userspace needs to migrate away from needing compat patches (ie, use new introspection interface) -- need other bp
- O v3 tagging
- O [mdeslaur] aa-notify rate limiting/summarizing
- O AppArmor testing on ARM
- O AppArmor LXC integration
- O perl on ISO

Kernel/parser:
- O parser memory usage (patch pending)
- O ipc - to security-o-apparmor-dbus bp?
- network
  - O stage 1
- O extended permission
   - mount
   - chmod, chown
   - setuid, ....
- Oish (break into work items) introspection interface
- Oish (break into work items) dfa improvements
- O set load
- O rcu
- O v3 tag and keep semantics as we go forward
- Oish modularization of LSM discussion started

Also see (for full breakdown):
http://summit.ubuntu.com/uds-o/meeting/security-o-apparmor-dev1/

Added by jdstrand
Profiles:
- chromium-browser (ship in package)
- plugin-container
- nspluginviewer
- telepathy/mission-control
- totem-audio-preview
- totem-video-thumbnailer
- gnome-thumbnail-font
- gnome/nautilus patch to not fallback to unconfined image previewers when evince-previewer is used
- adjust mimetypes to use evince-previewer as thumbnailer

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.