KernelLucidAppArmorDevelopment

Summary

AppArmor development for Lucid should be focused on bug fixes, cleanup, upstreaming and minimal development. The focus is on changes requested by upstream along with cleanups for a better experience and help meet targets set for Lucid (boot performance, stability, supportability).

Release Note

These changes will provide faster policy load, better policy coverage and smoother tool work flow.

Rationale

Upstreaming of AppArmor module: will provides code review and will make maintenance easier. The changes made are cleanups requested as part of the code review. The set of changes is required is unknown until asked for by reviewers.

This should cover the _why_: why is this change being proposed, what justifies it, where we see this justified.

User stories

Assumptions

Design

Default security module patch

* drop current patch * if Lucid is 2.6.32 based, pull in upstream patch from 2.6.33

Changes for AppArmor from upstreaming

  • audit NAK requires some changes to output (use LSM_AUDIT)
  • * kernel changes in progress, require extension of lsm_audit struct and call backs for lsm_audit function
  • * For name collision there will need to be an update user space log parsing lib, and tool updates
  • apparmorfs interface - may need to be updated to sysfs 1 value per file - breaks abi (for older tools)
  • * requires changing breaking out some files in apparmorfs
  • * may need to carry a distro SAUCE patch for a period of time
  • * alternative is just to require updated user space tools
  • set capabilities
  • * requires changes some changes to how capability code is handled, storing off set capabilities as part of the task context and using that to do restore on context switch.

AppArmor changes for Lucid

Upstartify init scripts

  • pull AppArmor out of initramfs

  • * removes about 2MB
  • * removes doing profile loads twice

Compatibility

  • kernel perm mapping patch allowing kernel to load policy from Hardy, Intrepid, (Jaunty, Karmic, Lucid)
  • user space patch to allow user space to load policy to Hardy, Intrepid, (Jaunty, Karmic, Lucid)

Performance improvements - Policy optimization

  • dfa optimization (shrink policy size)
  • expression factoring
  • table packing
  • multi profile load patch - allow policy load to occur with less overhead

Profiling improvements

  • renaming replacement, policy reload - replacement for set_profile interface removed do to cred limitations. Used in profiling to update profiles that are in development.
  • * requires kernel and tool updates.
  • Apport hooks/notification for rejections to collect better feedback for deployed policy

Security improvement

  • ptrace - processes looking at /proc/<pid>/fd/ generate a call to ptrace_may_access which AppArmor currently does not separate from real ptrace requests. We could implement the ptrace portion of extended capabilities for AppArmor that would allow removing capability ptrace from several profiles.

Changeprofile based pamapparmor integration

  • integrate updated pamapparmor module

Potential changes if Lucid is 2.6.33 kernel

2.6.33 adds a couple new hooks that will allow for adding back in functionality that regressed in Karmic.

  • chmod
  • chown

Implementation

This section should describe a plan of action (the "how") to implement the changes discussed. Could include subsections like:

UI Changes

Should cover changes required to the UI, or specific UI that is required to implement this

Code Changes

Code changes should include an overview of what needs to change, and in some cases even the specific details.

Migration

Include:

  • data migration, if any
  • redirects from old URLs to new ones, if any
  • how users will be pointed to the new way of doing things, if necessary.

Test/Demo Plan

It's important that we are able to test new features, and demonstrate them to users. Use this section to describe a short plan that anybody can follow that demonstrates the feature is working. This can then be used during testing, and to show off after release. Please add an entry to http://testcases.qa.ubuntu.com/Coverage/NewFeatures for tracking test coverage.

This need not be added or completed until the specification is nearing beta.

Unresolved issues

This should highlight any issues that should be addressed in further specifications, and not problems with the specification itself; since any specification with problems cannot be approved.

BoF agenda and discussion

Use this section to take notes during the BoF; if you keep it in the approved spec, use it for summarising what was discussed and note any options that were rejected.


CategorySpec

specs/KernelLucidAppArmorDevelopment (last edited 2009-11-19 20:50:41 by 63)