Ubuntu

Improve packaging of AppArmor

Registered by Kees Cook

Review things that need attention in the packaging of AppArmor in Ubuntu:
 * upstart
 * /etc cleanup
 * bindings

Blueprint information

Status:
Started
Approver:
Steve Beattie
Priority:
High
Drafter:
Jamie Strandboge
Direction:
Approved
Assignee:
Kees Cook
Definition:
Discussion
Series goal:
Accepted for natty
Implementation:
Slow progress
Milestone target:
None
Started by
Kees Cook

Related branches

Sprints

Whiteboard

Work items:
[jdstrand] add bindings tests: DONE
[kees] move /etc/apparmor/functions to /lib/apparmor/: DONE
[kees] move cache out of etc/ into /lib/apparmor/: POSTPONED
[sbeattie] enable bindings in the Ubuntu packaging with separate packages (universe): DONE
[kees] cleanup to use modern debian packaging: DONE
[kees] move profile control symlinks into /etc/apparmor/: POSTPONED
[kees] write helper script/exec. Should be in upstart so that everything is ok if uninstall apparmor: DONE
[kees] update packaging for job files that already load profiles: DONE
[kees] get apparmor packaging into debian http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=440680: DONE

= Gobby notes =

AppArmor in Ubuntu:

== What to include ==
 * we have perl
 * all bindings build, but aren't tested cause they aren't packaged (python, ruby)
  * add other bindings if/when there is demand (eg java) -- not now
  * [ACTION] kees: enable in the Ubuntu packaging with separate packages (universe)
  * [ACTION] jdstrand: verify binding via writing test case for upstream

== Packaging ==
 * [ACTION] kees: cleanup to use modern debian packaging

== Upstart ==
 * Requirements
  * must not affect boot performance (we must do absolute minimum in early boot)
    * parser should load from directory instead of bash script iterating on profiles
  * would be nice if not in init.d
  * packages that have upstart jobs, they should load their own profile (eg mysql, avahi)
 * [ACTION] write helper script/exec. Should be in upstart so that everything is ok if
   uninstall apparmor
 * [ACTION] update packaging for job files that already load profiles
 * early boot network dependent things (eg dhclient)
  * /etc/apparmor/init/network-interface-security via /etc/init/network-interface-security
  * seems ok for now
  * would be nice if didn't reload already loaded profiles, but fixing that may
    not realize any performance benefits

== /etc cleanup ==
 * apparmor.d - policy and cache
 * apparmor - config file and scripts
 * /etc/apparmor.d/cache should be moved
  * move to /lib/apparmor/cache
  * on upgrade regenerate the cache
 * move /etc/apparmor.d/force-complain to /etc/apparmor (not 2.5)
 * move /etc/apparmor.d/disable to /etc/apparmor (not 2.5)
 * profiles won't use complain flag anymore, move to directories or flat text (TBD)
 * dynamic profiles
  * libvirt to be adjusted to pass a flag to apparmor_parser to flag the file
    as dynamic. This should prevent the policy from being removed on reload
  * could also have another flag to say that when nothing is referencing the
    profile, unload it
 * move libvirt and apache2 to /etc/apparmor.d/applications (not 2.5)

== Debian ==
 * make sure AppArmor is in there kernel
 * on packages that don't already have the profiles in Debian, ship them
 * post-squeeze get this into Debian
 * get packaging documentation surrounding apparmor for Debian developers to get involved
 * create separate package for debhelper for Debian and backports

(?)

Work Items

Nearby

This blueprint contains Public information 
Everyone can see this information.