AppArmor Ubuntu packaging and integration
Discuss where to focus Ubuntu-specific AppArmor packaging and integration efforts.
Blueprint information
- Status:
- Started
- Approver:
- Jamie Strandboge
- Priority:
- Medium
- Drafter:
- Kees Cook
- Direction:
- Approved
- Assignee:
- Steve Beattie
- Definition:
- Approved
- Series goal:
- Accepted for oneiric
- Implementation:
- Started
- Milestone target:
- ubuntu-11.10
- Started by
- Jamie Strandboge
- Completed by
Whiteboard
Work items:
[micahg] ship disabled chromium profile in package: POSTPONED
[micahg] update firefox profile to restrict plugin-container: POSTPONED
[micahg] update browser abstractions to restrict nspluginviewer more: POSTPONED
[mdeslaur] aa-notify rate limiting/
[mdeslaur] wiki page for using the apparmor profiles repository: DONE
[mdeslaur] announce the apparmor profiles repository: DONE
[jdstrand] telepathy/
[kees] flip rate limiting bit when using aa-genprof: DONE
[sbeattie] does not offer to edit abstractions: POSTPONED
[sbeattie] doesn't suggest to use variable (@{PROC} and @{HOME}): POSTPONED
[mdeslaur] suggesting community profiles: DONE
[sbeattie] named profiles and binary globbing (all tools): POSTPONED
[jdstrand] make sure aa-logprof still works sanely: DONE
[sbeattie] PUx and pux not supported in userspace: POSTPONED
[jjohansen] fix missed transitions in handleChildren(): POSTPONED
[kees] new introspection interfaces in kernel: POSTPONED
[jjohansen] v3 tagging - kernel support: POSTPONED
[jjohansen] v3 tagging - parser support: POSTPONED
[sbeattie] v3 tagging - packaging and tools support to not die/strip: POSTPONED
[kees] AppArmor testing on ARM: DONE
[mdeslaur] adjust packaging to avoid perl on ISO: DONE
[mdeslaur] rewrite aa-status in python: DONE
[jjohansen] extend network mediation beyond socket level, stage 1 (kernel): POSTPONED
[jjohansen] base extended permission support: POSTPONED
[jjohansen] base extended capability support as part of v3 format change: POSTPONED
[sbeattie] parser config control file: POSTPONED
[jjohansen] dfa improvements, parser memory usage (patch pending): POSTPONED
[jjohansen] dfa improvements, kernel vars: POSTPONED
[jjohansen] dfa improvements, reordering of the structure: POSTPONED
[jjohansen] matcher in userspace to support regression tests, unit tests, etc: POSTPONED
[jjohansen] profile rcu patch: POSTPONED
[kees] modularization of LSM discussion started: POSTPONED
Oneiric+1 Work items:
[?] init script updates for new introspection interface
[?] parser updates for new introspection interface
[?] tool updates for new introspection interface
[?] v3 tagging - tools support to suggest v3
[?] AppArmor LXC integration - needs further specification and possibly own blueprint
[?] network stage 1 support (userspace)
[jjohansen] white paper on kernel vars: INPROGRESS
[jjohansen] set load
[jdstrand] totem-audio-preview
[jdstrand] totem-video-
[jdstrand] gnome-thumbnail
[jdstrand] gnome/nautilus patch to not fallback to unconfined image previewers when evince-previewer is used
[jdstrand] adjust mimetypes to use evince-previewer as thumbnailer
Ongoing tasks:
[sbeattie] stock up on bourbon: INPROGRESS
From etherpad (http://
Packaging requests...
- finalize stuff in /extras
- https:/
AppArmor container support
AppArmor mode 2 seccomp support
For Oneiric:
Userspace tools:
- O flip rate limiting bit when using aa-genprof
- O does not offer to edit abstractions
- O doesn't suggest to use variable (@{PROC} and @{HOME})
- O suggesting community profiles
- tool workflow
- O is aa-logprof still viable? (replacement/
- O named profiles and binary globbing (all tools)
- O P[Uu]x not supported
- O some bug jj knows about that is hard to describe (and has fix)
- Oish (needs breakdown) userspace needs to migrate away from needing compat patches (ie, use new introspection interface) -- need other bp
- O v3 tagging
- O [mdeslaur] aa-notify rate limiting/
- O AppArmor testing on ARM
- O AppArmor LXC integration
- O perl on ISO
Kernel/parser:
- O parser memory usage (patch pending)
- O ipc - to security-
- network
- O stage 1
- O extended permission
- mount
- chmod, chown
- setuid, ....
- Oish (break into work items) introspection interface
- Oish (break into work items) dfa improvements
- O set load
- O rcu
- O v3 tag and keep semantics as we go forward
- Oish modularization of LSM discussion started
Also see (for full breakdown):
http://
Added by jdstrand
Profiles:
- chromium-browser (ship in package)
- plugin-container
- nspluginviewer
- telepathy/
- totem-audio-preview
- totem-video-
- gnome-thumbnail
- gnome/nautilus patch to not fallback to unconfined image previewers when evince-previewer is used
- adjust mimetypes to use evince-previewer as thumbnailer