AppArmor Ubuntu packaging and integration
Discuss where to focus Ubuntu-specific AppArmor packaging and integration efforts.
Blueprint information
- Status:
- Complete
- Approver:
- Jamie Strandboge
- Priority:
- Medium
- Drafter:
- Marc Deslauriers
- Direction:
- Approved
- Assignee:
- Jamie Strandboge
- Definition:
- Approved
- Series goal:
- Accepted for quantal
- Implementation:
- Implemented
- Milestone target:
- ubuntu-12.10
- Started by
- Jamie Strandboge
- Completed by
- Jamie Strandboge
Whiteboard
New items:
apparmor apport spam
- most bugs due to a harmless denial
- apparmor hook doesn't screen the log based on profile so a bug in package X with apparmor will also a trigger in package Y that uses apparmor
- want to be able to screen on a list of profiles
shipping disabled profiles: how worthwhile is this? It has value just like shipping daemons that are diisabled by default
- how can we make it easier to discover/enable
- /etc/default in and commented (conf files) -
- debconf questions?
- depends on package
- what of the delta with debian?
if worthwhile, identify other candidates:
- smbd - maybe with samba extractor
Enabled profile targets:
- nmbd
- winbind
- others (https:/
• repository. how can we improve this with reasonable effort?
- use standardized naming convention and if find something, then prompt, otherwise advertise
- figure out a way to make Ubbuntu profiles available to others once we have shipped them
- figure out a way to make profile sharing between distros work better
* aa-easyprof - templating tool
jjohansen:
apparmor backports, with the backported kernels it may be worth while supplying a backported userspace, and may even be necessary depending on what other parts of the userspace get backported.
- could backport the apparmor userspace
- could also just adjust the backported policy to work with the new tools
- lxc stuff?
- decide on a case by case basis on if we need to actually backport unless we have to
- what of packages that auto update (firefox, chromiumn) if profile is included in the package
-only an issue if people install the upstream versions
Existing profiles in Ubuntu:
https:/
https:/
* profile2audit.log utility for testing of new genprof/logprof - could also be useful for merging profiles (generate faked audit.log, then run logprof on it)
Work Items
Work items:
[mdeslaur] add grep to hook so that only denials for that package trigger the hook (high) (0.5): DONE
[mdeslaur] check packages that contain apparmor profiles to make sure they have apport hooks (high) (1): DONE
[mdeslaur] remove launchpad integration rules from apparmor profiles (medium) (1): DONE
[jdstrand] add default disabled profile for squid3 (low) (0.5): DONE
[jdstrand] add profile for gwibber-service (medium) (2): POSTPONED
[jdstrand] move dovecot profiles to default disabled (low) (0.5): POSTPONED
[sbeattie] add default disabled profile for smbd (low) (1): POSTPONED
[sbeattie] add default enabled profile for nmbd (and winbind if available) (low) (0.5): POSTPONED