AppArmor
This page exists to track the state of AppArmor for Karmic.
The general task list for AppArmor will be moved and only Kernel Status will stay here
AppArmor will miss the .31 merge window, there were some severe problems with some new features that were done as part of the port to the .29/.30 kernels. In particular user defined policy and the new interface for profiles from user space. It has been decided to pull these features and shoot for Jaunty feature parity, and stability before any new features are introduced back in.
Background on removed features
The user defined policy adds extra complexity to the kernel module and has subtle interaction with system policy increasing the time needed to debug and validate. It also relied on the new interface format.
The new interface format restructured the policy load to fix certain policy deficiencies and improve on policy size. It reworked the dfa computations so that accept state were just indexes into a permission table. This results in smaller dfas (hence smaller policy), allows for larger and more flexible permission sets, better conditional support and greater flexibility for reuse. The rework also allowed for the profile hierarchy to be properly expressed, so that atomic removal of subprofiles and hats would be possible.
While the kernel code has bugs the new user side policy generation code is generating bad policy, hampering kernel testing. Evaluating the amount of work needed to fix the policy generation tools and ensure the user defined policy are working correctly, it was determined that the removal of these features would be significantly quicker; and relying on the Jaunty tool chain means that the kernel can be validated against a known quantity.
Kernel Task List
Task |
Est. Date |
Status |
Notes |
Strip user defined policy, new interface |
June 23 |
Done |
|
Compile and Booting (.30) |
June 24 |
Done |
Point security team at code |
Passing AppArmor regression suite (.30) |
June 29 |
Done |
|
rebase to .31-rcN |
TBD |
Done |
|
Regression test .31-rcN |
.31-rcN + 2 days |
In Progress |
ecryptfs loopback |
Security Team sign off |
TBD |
not started |
|
*Compile and Booting - successful compile without warnings, and boot kernel with the AppArmor module. At this stage it will be labeling all tasks and files with the "unconfined" profile. All execs with be traversing through the attachment code.
*Passing AppArmor regression suite - successfully pass a variety of different confinement and stress tests, that verify the security modules behavior. This will also include loading of basic profile set on real world applications.
Each regression test has several subtests. If a test is marked regression, all subtests are failing, otherwise it is marked with what is causing the failure or the number of tests failing. If there is no note all subtests are passing.
Regression Test Status table
running access |
- semantic change, no longer supported |
running capabilities |
|
(ptrace) |
|
(sethostname) |
|
(setdomainname) |
|
(setpriority) |
|
(setscheduler) |
|
(reboot) |
|
(chroot) |
|
(mlockall) |
|
(net_raw) |
|
running changehat |
|
running changehat_fork |
|
running changehat_misc |
|
running chdir |
|
running clone |
|
running deleted |
|
running environ |
|
running exec |
|
running exec_qual |
|
running fchdir |
|
running fork |
|
running i18n |
|
running link |
|
running link_subset |
|
mkdir |
|
running mmap |
|
running mount |
|
running mult_mount |
|
running named_pipe |
|
running net_raw |
|
running open |
|
running openat |
|
running pipe |
|
running ptrace |
|
running pwrite |
|
running regex |
|
running rename |
|
running readdir |
|
running rw |
|
running swap |
- regression |
running sd_flags |
|
running setattr |
-semantic changes |
running symlink |
|
running syscall |
|
running unix_fd_server |
|
running unlink |
|
running xattrs |
- semantic changes |
running longpath |
|
Other testing and issues
complain audit messages |
|
done |
Complain mode generates a large volume of audit messages (DOS of audit log). When auditd is not is use this messages are subject to printk_ratelimit, which means the majority of messages will be dropped. This is a problem for the learning tools. After talking to kees about the issue the solution is to require auditd for genprof/logprof. This is acceptable as it only affects people doing profine development. |
ecryptfs |
lpn:359338 |
In progress |
As expected works properly for create, mkdir, rm, rmdir, link, symlink. Has the issue with loop back seeing file name in dentry_open. |
aufs |
lpn: |
In progress |
All paths appear in loop back, may be better to deal with at policy level. This is not a regression from Jaunty |
*Rebase to .31-rcN - rebase the stable .30 version against .31 so that it is ready for merge to Karmic kernel tree. The rebasing to .31 can be done early but testing will continue against .30 to separate help separate AA regressions from the churn of .31 regressions.
*Security Team sign off - When ever Kees is done beating with a big stick, for all the pain I am putting him through.
General AppArmor Task list
# |
Component |
Task |
Est. Date |
Status |
Deps |
1 |
Kernel Security Module |
Functioning |
29 June 2009 |
In progress |
|
2 |
Parser |
boot faster - multiple profile load |
July |
Done |
|
3 |
Parser |
boot faster - compiled policy cache |
July |
Done |
|
x |
init scripts |
boot faster - use multi-profile load |
July |
Done |
2 |
x |
init scripts |
use upstart |
July |
Not started |
2 |
x |
MOD AppArmor |
update for latest apache |
|
|
|
4 |
PAM AppArmor |
external control file |
July |
In progress |
|
5 |
PAM AppArmor |
use change_profile/change_onexec |
July |
In progress |
1 |
6 |
MOD Tomcat |
update for tomcat v.?? |
July |
In progress |
|
x |
Genprof |
x. update to new format |
July |
|
1 |
x |
libaalogparse |
x. update to new format |
July |
|
1 |
x |
notification |
???? |
July |
|
1 |
KernelTeam/ReleaseStatus/AppArmor (last edited 2009-07-28 14:22:24 by pool-173-50-148-28)