HardyAppArmor
Please check the status of this specification in Launchpad before editing it. If it is Approved, contact the Assignee or another knowledgeable person before making changes.
Launchpad Entry: apparmor-integration
Packages affected: apparmor, libapparmor, * (any package with a profile)
Summary
Improve AppArmor usability and integration for Hardy.
Release Note
Rationale
AppArmor has been officialy integrated and supported in Gutsy. Although the core functionality is there, more work needs to be done to improve the integration with other system components.
Use Cases
Alice wants to immediately know when a program violates AppArmor policy. She wants to leverage her existing monitoring infrastructure.
Bob wants to configure AppArmor for his desktop. He wants to see which profiles are enabled, their enforcing policy. He can also enable and disable the available profiles for the same GUI.
Carl has setup an audit infrastructure and wants to collect AppArmor events with it.
Dan has recently joined the Ubuntu QA team and sees more and more random crashes. Some of them are related to an innacurate AppArmor profile. His triagging process is greatly helped with the AppArmor information added to each apport bug report.
Assumptions
Upstream will have a stable release for Hardy largely similar to the version in Gutsy: AppArmor roadmap
Design
Implementation
Kernel integration
The AppArmor module is currently included in linux-ubuntu-modules.
AppArmor 2.1 needs some changes in the VFS stack. Patches have been sent to upstream, but they haven't been accepted yet.
They are some issues with unionfs.
The Ubuntu Kernel team needs to keep track of these issues.
System integration
Package pam_apparmor.
Create new profiles
Adding profiles to:
- dhclient (drop the de-rooting patch).
Integration with the audit framework
Update auditd and include it in main.
Integration with apport
Log parsing library should be up to date, may have some problems with parts of old log format in Feisty universe.
Package the python bindings for the log parsing library.
Write a general hook for apport so that apparmor audit messages are added to the report.
Integration with SELinux
Provide the end user with a simple way to choose between security modules (AppArmor or SELinux).
Migration
As long as the profile syntax doesn't change, migration issues are minor.
Test/Demo Plan
Outstanding Issues
BoF agenda and discussion
These items would be nice to have for hardy:
Integration with the desktop
Package the gnome applet.
A GUI for managing AppArmor profiles:
- enable and disable profiles.
- set their enforcing mode.
list audit messages related to AppArmor.
system-config-selinux should be considered when designing the GUI.
Packaging helpers
Adding a new script to debhelper to automate packaging apparmor profiles:
- updating the postinst script to reload apparmor.
- copy the apparmor profile to the right place.
Adding support to cdbs.
Profiles storage improvments
Improve profile directory layout to support repository, distro and local profiles.
Don't store the flag in the profiles itself. Variables in policy, profile dependency issues.
Create new profiles
Adding profiles to:
- gdm.
- mousemu.
Integration with the audit framework
Write a dispatcher for auditd.
Package the dbus event dispatcher.
HardyAppArmor (last edited 2008-08-06 16:23:34 by localhost)