[Tails-dev] AppArmor profiles in Debian

Delete this message

Reply to this message
Autor: intrigeri
Data:  
A: Kees Cook
CC: tails-dev, debian-derivatives
Assumptes nous: Re: [Tails-dev] AppArmor profiles in Debian
Assumpte: [Tails-dev] AppArmor profiles in Debian
Hi Kees, hi lists,


Now that we have an AppArmor-enabled kernel in Debian, I'd like to see
Wheezy released with at least a few working profiles, and specifically
(in decreasing order of priority):

 1. some of the Usual Suspects™ on the Desktop: evince, iceweasel,
    isc-dhcp-client;


 2. some software that is particularly important in the context of
    Tails [0]: I'm mainly thinking of Tor, but GnuPG and icedove also
    come to mind.


 3. some low-hanging fruits from Ubuntu's "Supported profiles in main"
    list [1] that, I guess, you know very well: apache2, libvirt.


[0] https://tails.boum.org/
[1] https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles


To get things started, I have started using some of the profiles
shipped in the apparmor-profiles packages; but none of the
aforementioned software is supported, so I've extracted the profiles
from the following Ubuntu packages, and have been running them in
enforcing mode on my main Debian (sid) system:

* firefox 11.0~b2+build1-0ubuntu1
* evince 3.3.5-0ubuntu1
* isc-dhcp 4.1.1-P1-17ubuntu12 (client only)

After one more week or so, once I'm confident they work nicely, I'll
ask for the inclusion of these AppArmor profiles in the respective
packages, most likely by way of wishlist+patch bugs.

Are you interested in participating in this effort in some way?
Any kind of help is welcome: you can test profiles on
a testing/unstable system, track bug we will report, help convince
maintainers our patches are worth applying, etc.

How can we coordinate? I suggest:

  * a page on the Debian wiki: idea, goals, pointers
  * a usertag on the BTS to track work-in-progress
    (associated to which email? apparmor@????)
  * anyone knows if any part of the infrastructure that was developed
    for the derivatives initiative would be useful for this project?


Also, I'd like to get Ubuntu folks associated with this effort:
making their delta with Debian smaller will make their job easier, so
I guess they'll be happy to give a hand. Who shall we talk to? I could
simply fetch the top contributors' name on launchpad and email them,
but Kees may have better suggestions? Maybe you want to tell them
yourself about it?

Any other Debian derivative interested?

I think we also should tell the security team (and possibly the
broader Debian community) about this initiative at some point if it
gains some kind of traction and gets real.

To end with, I'm conscious time is running fast, the Wheezy freeze is
coming quickly, and it's time to fix RC bugs rather than having shiny
new ideas. That's why I find it important to set fairly limited goals
and target only a few selected pieces of software for Wheezy.

Thoughts, suggestions, pointers are welcome.

Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
| Do not be trapped by the need to achieve anything.
| This way, you achieve everything.