AppArmor LXC development
Discuss how AppArmor and LXC are working together and what improvements should be made.
Blueprint information
- Status:
- Complete
- Approver:
- Jamie Strandboge
- Priority:
- Essential
- Drafter:
- John Johansen
- Direction:
- Approved
- Assignee:
- John Johansen
- Definition:
- Approved
- Series goal:
- Accepted for raring
- Implementation:
-
Implemented
- Milestone target:
-
ubuntu-13.04
- Started by
- Jamie Strandboge
- Completed by
- Jamie Strandboge
Whiteboard
jdstrand: For monthly planning purposes, some work items were broken out into the following:
https:/
jdstrand, 2013-03-28: postponed work added to https:/
From etherpad (http://
Features in development
- stacking
* POC in 2-3 weeks for base stacking (ie, not userspace namespaces, have aa_stack_profile as opposed to change stacking in policy)
* this allows is to both limit the container and have profiles within the container
- conditional rules
* base conditionals by 13.04
* eg:
fs=procfs proc/foo rw,
label=foo /foo/bar rw,
- mount fixes/improvements
* 'umount /mnt/{**,},' - delegation (parent hands capabilities to the child)
Cleaner way of dealing with things like:
deny /sys/[^f]*/** wklx,
deny /sys/f[^s]*/** wklx,
deny /sys/fs/[^c]*/** wklx,
deny /sys/fs/c[^g]*/** wklx,
deny /sys/fs/cg[^r]*/** wklx,
* should be in 13.04 as part of conditionals work
- extended regex matching and boolean operations
eg. allow /** - /sys/fs/cgr*/** wklx,
- netlink? (to filter uevents) - eg network netlink (create,bind,rw),
- on schedule. will look like regular network rule. First pass, mask off a family or not. planned for 13.10, maybe sooner
- this will also bring in abstract unix domain socket mediation
- labeling
- bug on declaring variables outside of the preamble (ie, in a .d directory)
Can we have all of the above by 14.04? Yes. Work is planned and in progress
- stacking prototype is almost done
- conditional rules are a bit later (base conditionals in 13.04, others later)
Usernamespaces - 14.04
Work items should be brought forward from 12.10 since they already deal with these improvements
Work Items
Work items:
[jjohansen] aa-namespaces, controls limiting policy - kernel (essential) (3): POSTPONED
[jjohansen] aa-namespaces, controls limiting policy - regression tests (essential) (2): POSTPONED
[jjohansen] stacking - parser tests (essential) (1): POSTPONED
[jdstrand] stacking - update man pages where necessary for stacking (essential) (1): POSTPONED
[sbeattie] update Ubuntu packages (essential) (1): POSTPONED
[jjohansen] labeling - RFC/discussion (essential) (2): POSTPONED
[jjohansen] labeling - regression tests (4): POSTPONED
[jjohansen] fd passing - revalidate files at exec (essential) (3): POSTPONED
[jjohansen] fd passing - revalidate files at ipc (essential) (1): POSTPONED
[jjohansen] fd passing - regression tests (essential) (2): POSTPONED
[sbeattie] stacking - create ppa for testing (essential) (0.5): DONE
[jjohansen] labeling, implicit label sets - kernel (essential) (5): DONE
Work items for later:
[jjohansen] labeling, interface to introspect fd label (essential) (1): POSTPONED
[jjohansen] ext. mediation, clone newns.., controls - upstream (essential) (1): POSTPONED
[jjohansen] ext. mediation, clone newns.., controls - kernel (essential) (1): POSTPONED
[jjohansen] ext. mediation, clone newns.., controls - parser (essential) (1): POSTPONED
[jjohansen] ext. mediation, clone newns.., controls - parser tests (essential) (0.5): POSTPONED
[jjohansen] ext. mediation, clone newns.., controls - regression tests (essential) (1): POSTPONED
[jjohansen] ext. mediation, clone newns.., controls - aa-logparse, including tests (essential) (1): POSTPONED
[jjohansen] ext. mediation, clone newns.., controls - userspace tools (essential) (1): POSTPONED
[jjohansen] ext. mediation, clone newns.., controls - userspace tool unit tests (essential) (1): POSTPONED
[jjohansen] ext. mediation, clone newns.., controls - documentation/man pages (essential) (0.5): POSTPONED
[jjohansen] stacking, RFC/discussion - (essential) (2): POSTPONED
[jjohansen] stacking - upstream (medium) (5): POSTPONED
[jjohansen] stacking, investigate cgroup composition - kernel (essential) (2): POSTPONED
[tyhicks] stacking - regression tests for capabilities (essential) (2): POSTPONED
[tyhicks] stacking - regression tests for rlimits (essential) (2): POSTPONED
[tyhicks] stacking - regression tests for files (essential) (2): POSTPONED
[tyhicks] stacking - regression tests for network (essential) (2): POSTPONED
[tyhicks] stacking - regression tests for ipc (essential) (2): POSTPONED
[tyhicks] stacking - regression tests for mount (essential) (2): POSTPONED
[tyhicks] stacking - update aa-status to work with compound profile names (essential) (1): POSTPONED
[jjohansen] stacking - update genprof/logprof to handle compound profile names (low) (3): POSTPONED
[jjohansen] aa-namespaces, controls limiting policy - upstream (essential) (0.5): POSTPONED
[jjohansen] aa-namespaces, controls limiting policy - documentation (essential) (1): POSTPONED
[jjohansen] stacking, initial white paper doc - (essential) (4): POSTPONED
[jjohansen] labeling - initial white paper (essential) (4): POSTPONED
