HardyAppArmor

Please check the status of this specification in Launchpad before editing it. If it is Approved, contact the Assignee or another knowledgeable person before making changes.

  • Launchpad Entry: apparmor-integration

  • Packages affected: apparmor, libapparmor, * (any package with a profile)

Summary

Improve AppArmor usability and integration for Hardy.

Release Note

Rationale

AppArmor has been officialy integrated and supported in Gutsy. Although the core functionality is there, more work needs to be done to improve the integration with other system components.

Use Cases

Alice wants to immediately know when a program violates AppArmor policy. She wants to leverage her existing monitoring infrastructure.

Bob wants to configure AppArmor for his desktop. He wants to see which profiles are enabled, their enforcing policy. He can also enable and disable the available profiles for the same GUI.

Carl has setup an audit infrastructure and wants to collect AppArmor events with it.

Dan has recently joined the Ubuntu QA team and sees more and more random crashes. Some of them are related to an innacurate AppArmor profile. His triagging process is greatly helped with the AppArmor information added to each apport bug report.

Assumptions

Upstream will have a stable release for Hardy largely similar to the version in Gutsy: AppArmor roadmap

Design

Implementation

Kernel integration

The AppArmor module is currently included in linux-ubuntu-modules.

AppArmor 2.1 needs some changes in the VFS stack. Patches have been sent to upstream, but they haven't been accepted yet.

They are some issues with unionfs.

The Ubuntu Kernel team needs to keep track of these issues.

System integration

Package pam_apparmor.

Create new profiles

Adding profiles to:

  • dhclient (drop the de-rooting patch).

Integration with the audit framework

Update auditd and include it in main.

Integration with apport

Log parsing library should be up to date, may have some problems with parts of old log format in Feisty universe.

Package the python bindings for the log parsing library.

Write a general hook for apport so that apparmor audit messages are added to the report.

Integration with SELinux

Provide the end user with a simple way to choose between security modules (AppArmor or SELinux).

Migration

As long as the profile syntax doesn't change, migration issues are minor.

Test/Demo Plan

Outstanding Issues

BoF agenda and discussion

These items would be nice to have for hardy:

Integration with the desktop

Package the gnome applet.

A GUI for managing AppArmor profiles:

  • enable and disable profiles.
  • set their enforcing mode.
  • list audit messages related to AppArmor.

system-config-selinux should be considered when designing the GUI.

Packaging helpers

Adding a new script to debhelper to automate packaging apparmor profiles:

  • updating the postinst script to reload apparmor.
  • copy the apparmor profile to the right place.

Adding support to cdbs.

Profiles storage improvments

Improve profile directory layout to support repository, distro and local profiles.

Don't store the flag in the profiles itself. Variables in policy, profile dependency issues.

Create new profiles

Adding profiles to:

Integration with the audit framework

Write a dispatcher for auditd.

Package the dbus event dispatcher.


CategorySpec

HardyAppArmor (last edited 2008-08-06 16:23:34 by localhost)