Re: [Tails-dev] AppArmor profiles in Debian

Borrar esta mensaxe

Responder a esta mensaxe
Autor: intrigeri
Data:  
Para: Kees Cook
CC: The Tails public development discussion list
Temas novos: [Tails-dev] apparmor: should load profiles before networking is setup
Asunto: Re: [Tails-dev] AppArmor profiles in Debian
Hi,

Kees Cook wrote (17 Feb 2012 00:10:38 GMT) :
>> >> * isc-dhcp 4.1.1-P1-17ubuntu12 (client only)
>>
>> > Yes, very handy. Order of operations is important here, though.
>> > The profile must load before any network interface. In Ubuntu,
>> > this is being done via upstart jobs -- I haven't tested it
>> > with sysvinit.
>>
>> Ah, so this was the meaning of
>> /etc/apparmor/init/network-interface-security/sbin.dhclient being
>> a symlink to /etc/apparmor.d/sbin.dhclient in the Ubuntu patch.
>> Makes sense.


> Yeah, it's a bit weird, but that's the least of a few evils.


>> With sysvinit, I think that "Required-Start: $remote_fs" in the
>> apparmor initscript will prevent AppArmor profiles to be loaded
>> before the networking initscript starts. At least on my system,
>> insserv ordered the scripts this way. Is this dependency present
>> only to support the /usr-on-NFS usecase?


> I suspect so, yes. It probably means that apparmor will either need
> to have 2 init files (early and late), or have its init modified not
> to require /usr. Both we done at various times before in Ubuntu, so
> it shouldn't be much work to make it happen.


I studied the initscript, and the associated shell library, a bit.
It seems to me the only things that require /usr in this script, when
invoked with the "start" argument, are:

  * the use of xargs' -P option (foreach_configured_profile function,
    in /lib/apparmor/functions), which busybox' xargs lacks; I think
    it can be removed, at the cost of some startup performance.


  * the use of xargs' -d"\n" option (foreach_configured_profile
    function, in /lib/apparmor/functions), which busybox' xargs lacks;
    I think it could be dropped since the input is a sequence of lines
    output by `ls -1'.


What do you think?

>> (Rationale: I'd like to report that aa-status and aa-genprof are
>> unusable as is, so that the next adventurous people who happen to
>> try AppArmor in Debian can easily find out what's happening, and
>> these bugs should be marked as blocked by the one that tracks the
>> lack of the "legacy interface" support in the kernel.)


For the record, this was done: #661153 and #661154.

To end with, I created a page [0] about AppArmor on the Debian wiki,
and discovered that dh-apparmor is currently unusable on Debian
(#661161), which, unless I'm mistaken, blocks pushing profiles at
Debian maintainers.

[0] http://wiki.debian.org/AppArmor

Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
| Every now and then I get a little bit restless
| and I dream of something wild.