AppArmor development
Discuss where to focus AppArmor development and integration efforts
Blueprint information
- Status:
- Not started
- Approver:
- Jamie Strandboge
- Priority:
- Medium
- Drafter:
- John Johansen
- Direction:
- Approved
- Assignee:
- John Johansen
- Definition:
- Approved
- Series goal:
- Accepted for quantal
- Implementation:
- Deferred
- Milestone target:
- ubuntu-12.10-beta-1
- Started by
- Completed by
Whiteboard
Pythonize simple apparmor tools (aa-enforce, aa-disable, aa-complain)
- aa-enforce- strip out flags and remove symlink
- aa-disable - just use the symlink
- aa-complain may not be so low hanging. do symlink as first pass and then maybe strip out stuff
LXC
shouldn't need extra flags - workarounds sufficient for now, but need to be fixed by 13.04 or so
stacking profiles is a high priority (lot of work, may not hit for 12.10)
overlayfs bug regarding private namespace (related to disconnected paths and private namespace)
hallyn wants to prevent a udevadm trigger
- netlink
- netlink second layer
- will need to check the policy to see if it will be blocked and if so test the policy before uploading
DBus
- porting work getting there
- interface that we can upstream for dbus to know what is happen
- get dbus work into ppa (dbus patches are still against 1.4, but patches based on upstream feedback)
- once it is in a ppa, send upstream for review
- policy language needs to be refined
Cgroups
- early protoype, not for 12.10
Network mediation
-
Profiles repository
- existing apparmor-profiles project is bottlenecked on apparmor mailing list/merge request
- could add a 'community/' directory to help
- userspace tools are still not suggesting things
- could adjust the tools to use bzr to suggest and publish to private branch and perform a merge request
Work Items
Work items:
[jjohansen] post outcome of this meeting to the mailing list (medium) (0.5): DONE
[mdeslaur] when go to profile something, can we query the server (medium) (1): POSTPONED
[mdeslaur] figure out a way to make Ubuntu profiles available to others once we have shipped them (low) (1): POSTPONED
[mdeslaur] figure out a way to make profile sharing between distros work better (low) (1): POSTPONED
[jdstrand] send aa-sandbox prototype to the mailing list (medium) (1.5): DONE
[jdstrand] port/merge/verify existing python tools to python3 (medium) (1): DONE
[sbeattie] named profiles and binary globbing (all tools) (medium) (3): POSTPONED
[sbeattie] PUx and pux not supported in userspace (medium) (1): POSTPONED
[sbeattie] investigate seccomp2 support in AppArmor. Additional work items may fall out as a result of this investigation. (medium) (2): POSTPONED
[sbeattie] convert build system to use autotools (low) (3): POSTPONED
[sbeattie] base policy introspection interface - userspace tools unit tests (low) (2): POSTPONED
[jjohansen] policy interface, usertool change notification - kernel - deps base introspection (medium) (5): POSTPONED
[jjohansen] dynamic lookup/files for policy introspecition - deps base introspection (low) (10): POSTPONED
[jjohansen] stop mode - upstream (low) (1): POSTPONED
[jjohansen] stop mode, global flag - kernel (low) (0.5): POSTPONED
[jjohansen] upstream, LSM module unload patch (low) (5): POSTPONED
[jjohansen] upstream, lsm_audit - allow passing of GFP flags to reduce chance of dropping (low) (2): POSTPONED
[jjohansen] upstream, lsm_audit - return error when message fails (low) (2): POSTPONED
[jjohansen] LSS status report presentation (low) (1): POSTPONED
[jdstrand] commit aa-easyprof tree soon (trunk only): DONE