AppArmor Ubuntu packaging and integration

Registered by Marc Deslauriers on 2012-04-30

Discuss where to focus Ubuntu-specific AppArmor packaging and integration efforts.

Blueprint information

Status:
Complete
Approver:
Jamie Strandboge
Priority:
Medium
Drafter:
Marc Deslauriers
Direction:
Approved
Assignee:
Jamie Strandboge
Definition:
Approved
Series goal:
Accepted for quantal
Implementation:
Implemented
Milestone target:
milestone icon ubuntu-12.10
Started by
Jamie Strandboge on 2012-10-03
Completed by
Jamie Strandboge on 2012-10-03

Related branches

Sprints

Whiteboard

New items:

apparmor apport spam
- most bugs due to a harmless denial
- apparmor hook doesn't screen the log based on profile so a bug in package X with apparmor will also a trigger in package Y that uses apparmor
- want to be able to screen on a list of profiles

shipping disabled profiles: how worthwhile is this? It has value just like shipping daemons that are diisabled by default
- how can we make it easier to discover/enable
  - /etc/default in and commented (conf files) -
  - debconf questions?
    - depends on package
    - what of the delta with debian?

if worthwhile, identify other candidates:
- smbd - maybe with samba extractor

Enabled profile targets:
- nmbd
- winbind
- others (https://wiki.ubuntu.com/SecurityTeam/Roadmap)

• repository. how can we improve this with reasonable effort?
  - use standardized naming convention and if find something, then prompt, otherwise advertise
 - figure out a way to make Ubbuntu profiles available to others once we have shipped them
 - figure out a way to make profile sharing between distros work better

* aa-easyprof - templating tool

jjohansen:
apparmor backports, with the backported kernels it may be worth while supplying a backported userspace, and may even be necessary depending on what other parts of the userspace get backported.
 - could backport the apparmor userspace
 - could also just adjust the backported policy to work with the new tools
 - lxc stuff?
- decide on a case by case basis on if we need to actually backport unless we have to

- what of packages that auto update (firefox, chromiumn) if profile is included in the package
  -only an issue if people install the upstream versions

Existing profiles in Ubuntu:
https://wiki.ubuntu.com/Security/Features#apparmor
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles

* profile2audit.log utility for testing of new genprof/logprof - could also be useful for merging profiles (generate faked audit.log, then run logprof on it)

(?)

Work Items

Work items:
[mdeslaur] add grep to hook so that only denials for that package trigger the hook (high) (0.5): DONE
[mdeslaur] check packages that contain apparmor profiles to make sure they have apport hooks (high) (1): DONE
[mdeslaur] remove launchpad integration rules from apparmor profiles (medium) (1): DONE
[jdstrand] add default disabled profile for squid3 (low) (0.5): DONE
[jdstrand] add profile for gwibber-service (medium) (2): POSTPONED
[jdstrand] move dovecot profiles to default disabled (low) (0.5): POSTPONED
[sbeattie] add default disabled profile for smbd (low) (1): POSTPONED
[sbeattie] add default enabled profile for nmbd (and winbind if available) (low) (0.5): POSTPONED

This blueprint contains Public information 
Everyone can see this information.