AppArmor development

Registered by Marc Deslauriers on 2012-04-30

Discuss where to focus AppArmor development and integration efforts

Blueprint information

Status:
Not started
Approver:
Jamie Strandboge
Priority:
Medium
Drafter:
John Johansen
Direction:
Approved
Assignee:
John Johansen
Definition:
Approved
Series goal:
Accepted for quantal
Implementation:
Deferred
Milestone target:
milestone icon ubuntu-12.10-beta-1

Related branches

Sprints

Whiteboard

Pythonize simple apparmor tools (aa-enforce, aa-disable, aa-complain)
- aa-enforce- strip out flags and remove symlink
- aa-disable - just use the symlink
- aa-complain may not be so low hanging. do symlink as first pass and then maybe strip out stuff
LXC
shouldn't need extra flags - workarounds sufficient for now, but need to be fixed by 13.04 or so
stacking profiles is a high priority (lot of work, may not hit for 12.10)
overlayfs bug regarding private namespace (related to disconnected paths and private namespace)
hallyn wants to prevent a udevadm trigger
- netlink
- netlink second layer
- will need to check the policy to see if it will be blocked and if so test the policy before uploading
DBus
- porting work getting there
- interface that we can upstream for dbus to know what is happen
- get dbus work into ppa (dbus patches are still against 1.4, but patches based on upstream feedback)
- once it is in a ppa, send upstream for review
- policy language needs to be refined
Cgroups
- early protoype, not for 12.10
Network mediation
-
Profiles repository
- existing apparmor-profiles project is bottlenecked on apparmor mailing list/merge request
- could add a 'community/' directory to help
- userspace tools are still not suggesting things
- could adjust the tools to use bzr to suggest and publish to private branch and perform a merge request

(?)

Work Items

Work items:
[jjohansen] post outcome of this meeting to the mailing list (medium) (0.5): DONE
[mdeslaur] when go to profile something, can we query the server (medium) (1): POSTPONED
[mdeslaur] figure out a way to make Ubuntu profiles available to others once we have shipped them (low) (1): POSTPONED
[mdeslaur] figure out a way to make profile sharing between distros work better (low) (1): POSTPONED
[jdstrand] send aa-sandbox prototype to the mailing list (medium) (1.5): DONE
[jdstrand] port/merge/verify existing python tools to python3 (medium) (1): DONE
[sbeattie] named profiles and binary globbing (all tools) (medium) (3): POSTPONED
[sbeattie] PUx and pux not supported in userspace (medium) (1): POSTPONED
[sbeattie] investigate seccomp2 support in AppArmor. Additional work items may fall out as a result of this investigation. (medium) (2): POSTPONED
[sbeattie] convert build system to use autotools (low) (3): POSTPONED
[sbeattie] base policy introspection interface - userspace tools unit tests (low) (2): POSTPONED
[jjohansen] policy interface, usertool change notification - kernel - deps base introspection (medium) (5): POSTPONED
[jjohansen] dynamic lookup/files for policy introspecition - deps base introspection (low) (10): POSTPONED
[jjohansen] stop mode - upstream (low) (1): POSTPONED
[jjohansen] stop mode, global flag - kernel (low) (0.5): POSTPONED
[jjohansen] upstream, LSM module unload patch (low) (5): POSTPONED
[jjohansen] upstream, lsm_audit - allow passing of GFP flags to reduce chance of dropping (low) (2): POSTPONED
[jjohansen] upstream, lsm_audit - return error when message fails (low) (2): POSTPONED
[jjohansen] LSS status report presentation (low) (1): POSTPONED
[jdstrand] commit aa-easyprof tree soon (trunk only): DONE