Re: [Tails-dev] AppArmor profiles in Debian

Delete this message

Reply to this message
Autore: Kees Cook
Data:  
To: intrigeri
CC: apparmor, tails-dev, debian-derivatives
Oggetto: Re: [Tails-dev] AppArmor profiles in Debian
Hi!

On Sat, Feb 11, 2012 at 11:12:50PM +0100, intrigeri wrote:
> Now that we have an AppArmor-enabled kernel in Debian, I'd like to see
> Wheezy released with at least a few working profiles, and specifically
> (in decreasing order of priority):
>
>  1. some of the Usual Suspects™ on the Desktop: evince, iceweasel,
>     isc-dhcp-client;


Ubuntu's evince and isc-dhcp-client profiles are very well tested at this
point. I think it should be easy to move those into Debian if they're not
there already.

>  2. some software that is particularly important in the context of
>     Tails [0]: I'm mainly thinking of Tor, but GnuPG and icedove also
>     come to mind.


What did you have in mind for GPG? Protecting it from itself is a bit
tricky. :)

>  3. some low-hanging fruits from Ubuntu's "Supported profiles in main"
>     list [1] that, I guess, you know very well: apache2, libvirt.

>
> [0] https://tails.boum.org/
> [1] https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles


I think just encouraging all the maintainers to pull in the Ubuntu patches
for AppArmor profiles is the best way to start. Several packages have
already done this (e.g. bind9).

> To get things started, I have started using some of the profiles
> shipped in the apparmor-profiles packages; but none of the


There's documentation in the Ubuntu wiki on transitioning profiles from the
apparmor-profiles package to the individual packages;
https://help.ubuntu.com/community/AppArmor#Migrating_an_apparmor-profiles_profile_to_a_package

> aforementioned software is supported, so I've extracted the profiles
> from the following Ubuntu packages, and have been running them in
> enforcing mode on my main Debian (sid) system:
>
> * firefox 11.0~b2+build1-0ubuntu1


The firefox profile remains tricky as far as enabling by default.

> * evince 3.3.5-0ubuntu1


This is pretty well tested by now.

> * isc-dhcp 4.1.1-P1-17ubuntu12 (client only)


Yes, very handy. Order of operations is important here, though. The profile
must load before any network interface. In Ubuntu, this is being done via
upstart jobs -- I haven't tested it with sysvinit.

> After one more week or so, once I'm confident they work nicely, I'll
> ask for the inclusion of these AppArmor profiles in the respective
> packages, most likely by way of wishlist+patch bugs.
>
> Are you interested in participating in this effort in some way?
> Any kind of help is welcome: you can test profiles on
> a testing/unstable system, track bug we will report, help convince
> maintainers our patches are worth applying, etc.
>
> How can we coordinate? I suggest:
>
>   * a page on the Debian wiki: idea, goals, pointers
>   * a usertag on the BTS to track work-in-progress
>     (associated to which email? apparmor@????)
>   * anyone knows if any part of the infrastructure that was developed
>     for the derivatives initiative would be useful for this project?


One of the major stumbling blocks right now is that the "legacy interface"
patch is not carried by the Debian kernel. This means that network
mediation does not work at all, and that profile states cannot be queried,
which makes using AppArmor in production on Debian rather troublesome.

I've been working on building the new interface for the kernel, but it is
slow-going. In the meantime, it would be great if someone could convince
the Debian kernel maintainers to carry the interface patch. My efforts
there have failed in the past, but maybe new people will succeed.

> Also, I'd like to get Ubuntu folks associated with this effort:
> making their delta with Debian smaller will make their job easier, so
> I guess they'll be happy to give a hand. Who shall we talk to? I could
> simply fetch the top contributors' name on launchpad and email them,
> but Kees may have better suggestions? Maybe you want to tell them
> yourself about it?


I've added apparmor@??? (the main AppArmor mailing list) to
the CC since a lot of distro integration discussion happens there in
addition to development work.

> Any other Debian derivative interested?
>
> I think we also should tell the security team (and possibly the
> broader Debian community) about this initiative at some point if it
> gains some kind of traction and gets real.
>
> To end with, I'm conscious time is running fast, the Wheezy freeze is
> coming quickly, and it's time to fix RC bugs rather than having shiny
> new ideas. That's why I find it important to set fairly limited goals
> and target only a few selected pieces of software for Wheezy.


Frankly, I don't think AppArmor is in shape for "production" use in Wheezy
due to the kernel limitations. I don't think this is a big problem -- it is
available for people to start working with, and we should continue to knock
out any bugs we find, but I want to make sure we set expectations
correctly.

> Thoughts, suggestions, pointers are welcome.


Thanks for the email! I'm glad people are interested in this for Debian. :)

-Kees

-- 
Kees Cook                                            @debian.org