AppArmor Ubuntu packaging and integration

Registered by Marc Deslauriers on 2011-10-05

Discuss where to focus Ubuntu-specific AppArmor packaging and integration efforts.

Blueprint information

Status:
Started
Approver:
Jamie Strandboge
Priority:
Medium
Drafter:
Marc Deslauriers
Direction:
Approved
Assignee:
Jamie Strandboge
Definition:
Approved
Series goal:
Accepted for precise
Implementation:
Deployment
Milestone target:
None
Started by
Jamie Strandboge on 2011-11-10

Related branches

Sprints

Whiteboard

NOTE: jdstrand> separate profile for firefox/plugin-container is not easily done because all plugins run under this binary and we can't easily confine this binary. We could use abstractions like with firefox. It is possible to ship a disabled by default profile in the firefox package that people can opt into. Patches welcome.

Work items:
[jdstrand] add default disabled rsyslog profile (0.5): DONE
[jdstrand] review libvirt-lxc sVirt driver (0.5): DONE
[jdstrand] move dovecot profiles to default disabled (0.5): POSTPONED
[sbeattie] add default disabled profile for squid (0.5): POSTPONED
[sbeattie] add default disabled profile for smbd (1): POSTPONED
[sbeattie] add default enabled profile for nmbd (and winbind if available) (0.5): POSTPONED
[jdstrand] add profile for gwibber-service backend (2): POSTPONED
[jdstrand] investigate adding profile for firefox/plugin-container (1): DONE
[jdstrand] get all of apparmor into main (0.5): DONE
[sbeattie] check packages that contain apparmor profiles to make sure they have apport hooks (0.5): POSTPONED
[kees] submit dh_apparmor to debian: DONE
[jdstrand] investigate/fix bug #851986 for evince (high) (1): DONE
[jdstrand] investigate/fix bug #851986 for firefox (1): DONE
[jdstrand] investigate/add sanitized helper to apparmor for bug #851986 (high): DONE
[jjohansen] backport AppArmor kernel fix for bug #851986 (if required): DROPPED
[jdstrand] update firefox profile for @{MOZ_LIBDIR} (0.5): DONE
[jjohansen] fix bug #888077 - alias only being partially applied (high) (3): POSTPONED
[jdstrand] fix accumulating profile abstraction bugs (medium) (2): DONE
[jdstrand] aa-notify rate limiting (low) (1): POSTPONED
[kees] static base policy introspection interface: DONE
[jjohansen] document new static interface (low) (0.5): DONE
[tyhicks] dynamic base policy introspection interface (high) (5): POSTPONED
[jdstrand] document new dynamicinterface (low) (0.5): POSTPONED
[sbeattie] update tools to use new interface (high) (2): POSTPONED
[jjohansen] env filtering - investigate possible solutions (high) (1): DONE
[jjohansen] env filtering - extend parser to support (high) (1): POSTPONED
[sbeattie] env filtering - extend parser tests (medium) (0.5): POSTPONED
[jjohansen] env filtering - extend kernel to support (high) (3): POSTPONED
[sbeattie] env filtering - regression tests (high) (1): POSTPONED
[jdstrand] env filtering - update documentation/man pages (low) (0.5): POSTPONED
[jdstrand] aa-profile-dump (low) (0.5): POSTPONED
[jdstrand] aa-diff (low) (0.5): POSTPONED
[sbeattie] dbus - get apparmor kernel, parser, library, dbus into a ppa (high) (1): POSTPONED
[jjohansen] upstream kernel patches (high) (4): INPROGRESS
[sbeattie] named profiles and binary globbing (all tools) (medium) (3): POSTPONED
[sbeattie] PUx and pux not supported in userspace (medium) (1): POSTPONED
[jjohansen] network rules update kernel to newest versions (high) (2): DONE
[sbeattie] network rules parser tests for extended syntax (medium) (2): POSTPONED
[sbeattie] network rules regression tests (medium) (4): POSTPONED
[jjohansen] parser config control file: DONE
[jjohansen] dfa improvements, parser memory usage: DONE
[jjohansen] mediate kernel key ring access (high) (4): POSTPONED
[jjohansen] update apparmor to use new __d_path api (essential) (2): DONE
[jjohansen] update apparmor for private mounts (sysctls, ..) (medium) - needs labeling rework (2): POSTPONED
[jjohansen] update apparmor for chroot transition rules to mirror pivot root - needs chroot relative resolved (high) (1): POSTPONED
[jjohansen] add chroot mediation to deal with upstream no_new_privs changes: DONE
[jjohansen] update name resolution to default to chroot relative, and require new abs flag for old behavior: DONE

Later:
* [jjohansen] extended network rules stage 1 and 2: TODO
* [jjohansen] update apparmor to remove use of d_absolute_path for mediation - dependent on labeling (low) (1): TODO
* [jjohansen] lsm patches for getattrs and other paths that don't have sufficient info to distinguish access from file from new lookup: TODO
* [jjohansen] labeling patch to remove need for d_absolute_path and attach_disconnected: TODO
* [jjohansen] Document apparmor labeling (5): INPROGRESS
* [jdstrand] add profile for gwibber-service backend (2) (should wait for envfiltering): INPROGRESS
* [jdstrand] move dovecot profiles to default disabled (0.5): TODO
* [sbeattie] add default disabled profile for squid (0.5): TODO
* [sbeattie] add default disabled profile for smbd (1): TODO
* [sbeattie] add default enabled profile for nmbd (and winbind if available) (0.5): TODO
* [tyhicks] dynamic base policy introspection interface (5): POSTPONED
* [jdstrand] document new dynamic interface (0.5): POSTPONED
* [sbeattie] update tools to use new interface (2): POSTPONED
* Convert to chroot relative profiles http://wiki.apparmor.net/index.php/DevelopmentRoadmap#Convert_to_default_chroot_relative_profiles

From etherpad:
= Acceptance Criteria =
https://wiki.ubuntu.com/UbuntuEngineering/12.04/UpstreamDevelopment
https://wiki.ubuntu.com/UbuntuEngineering/12.04/UpstreamDevelopment/ProjectTracking
[sbeattie] Get upstream Jenkins and ppa builds working again
 * existing infrastructure was going to PPAs at https://launchpad.net/~apparmor-upload
[jdstrand] Setup Daily build to ppa for trunk and later for the stable branches
= Policy =
- Start shipping more disabled profiles like firefox
https://wiki.ubuntu.com/SecurityTeam/Roadmap#AppArmor_Confinement
shipping default disabled profiles:
 * rsyslog (add to server documentation too) - yes
 * dovecot (add to server docs) - yes
 * squid (add to server docs /srv/squid (for cache) (tunable?)) - yes
 * thunderbird - probably not this for this cycle
 * evolution - probably not for this
 * smbd (what has Christian been doing with this?) (nmbd we can turn on, winbind?)
  * he has a tool for this. approach Christian to maybe push upstream
 * others?
   * nut? (how to deal with the bagazillion drivers?)
new profiles:
 * plugin-container - explore browser plugin container - maybe ship as child profile in firefox
 * auditd (experiment with filters to make sure we have the right capabilities)
 * gwibber? (+gwibber-service backend?) -[jdstrand/sbeattie] explore more
shipping default enabled profiles:
 * nmbd (yes)
can we protect cups filters/etc that we ship? - can't test them all.
= Packaging =
* [jdstrand] dh_apparmor - get into debian?
* [allison] give packaging requirements
* [jdstrand] take those packaging requirements and create documentation on how to use the tool and add the resulting profile to the packaging
 * get all of apparmor into main - yes todo
    - python - needs to be built for multiple versions, 2.6, 2.7, ...
    - ruby, profiles, aa_notify, etc.
 * apparmor initscript vs. upstart
 * hook up apparmor to apport when alert messages appear

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.