[pkg-apparmor] AppArmor BoF at Debconf - report

u u at 451f.org
Thu Jul 7 18:28:00 UTC 2016 

Attendees: u, Ximin, Guido, Alan, mesutcang, nicoo, jerith

Status, updates and plans
=========================

team
----

* still active: Felix, intrigeri, u
* new active member: nicoo
* h01ger left
* kees inactive

userspace
---------

apparmor source package in Debian.
upstream - Canonical

kernel
------

AppArmor support in the kernel: Generally, we rely on mainline Debian's
kernel and upstream who works in the canonical Linux kernel.
This means we lack some support:
* dbus calls mediation
* mount rules / containers

In Debian
* we have mandatory access control
* POSIX Support in mainline

policy
------

Policy done in Debian.
Some is on the apparmor-profiles-extra package.
Other profiles shipped in the respective packages.

Cross-distro
------------

Git repository layout which is still in the notes of intrigeri from
Debconf15.
Upstream just converted their repository to Git.

TODO
----

* does it make sense to ship profiles in the package only if upstream
ships it or if it does not then we ship it in the upstream repo.

Testing:
* how do we test? do we have scripts?
* proposal: check if aa is enabled and then try to fetch violations?
* idea of bugscript: we ship the script inside of the apparmor package.
maintainers can add if $script exists, source $script. maybe this could
add a usertag too? nicoo would like to look into it. => todo create
bugreport with nicoo in cc.

Icedove: better ship this before the freeze.

Debugging:
* Add things to "man apparmor" and AppArmor upstream wiki from John
Johansen https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=826218 :u:
* Click on an URL in the aa-notify window for maintainers and/or
non-technical users to debug?

Tasks for starters:
*
https://udd.debian.org/cgi-bin/bts-usertags.cgi?tag=new-profile&user=pkg-apparmor-team%40lists.alioth.debian.org

Next big(ger) goals
===================

Candidates:

* desktop notifications
 Broken policy:
 - apparmor-notify package gives users visual feedback. main blocker is
that currently only  root can read auditd logs. auditd maintainers
should chmod the logs to adm, because we don't want to run auditd as
root. Ximin: redirect to a different user. :nicoo: patch auditd for
proper permissions.

* enabled by default
* enabled when the apparmor package is installed

We cannot count on Upstream to do the work for Wayland, because they
won't yet ship Wayland. For Stretch we are good.

Blockers for getting aa enabled by default
------------------------------------------
* more people should use it, maybe we can enable it during a BoF?
* We need some sort of marketing speech for maintainers to tell them
what this means and what they are risking.
* Gather data and build argument around that? popcon? tails?
* make it easier to enable it by default
  - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702030 :nicoo:alan:
* what about having a package with working profiles and half buggy
profiles (in complain mode) instead of the current apparmor-profiles
some of which don't work
 - some of those half working should move to
/usr/share/doc/apparmor/examples :intrigeri:
* start a discussion to enable it by default right after stretch is
released.

* don't forget the server usecase
* don't forget libvirt

* RC Scripts could be made much simpler - help is welcome.

AppStores/DMGs
--------------
Flatpack/Redhat/SELinux, UbuntuSnap/AppArmor (sandboxing), this makes it
less obvious to make a choice for Debian.
Shipping aa by default, people who will want to use flatpack, will not
be able to do it.

Mailinglist
-----------
pkg-apparmor-team at lists.alioth.debian.org

More information about the pkg-apparmor-team mailing list