Hi,
here's an update wrt. my work on confining (sandboxing) applications
with AppArmor in Tails.
- AppArmor support for stacked filesystems -- it's now clear that this
won't land soon enough for our needs; so, I've found some
workarounds, as demonstrated in the feature/apparmor branch.
Details later in this email. When upstream supports stacked
filesystems well enough (or when we replace aufs with overlayfs),
we can drop these hacks.
- Ship more AppArmor profiles in Debian -- pretty good progress was
made on this front this year:
https://wiki.debian.org/AppArmor/Progress
... and I encourage each of you to try it out on your non-Tails
Debian systems:
https://wiki.debian.org/AppArmor/HowTo
- Confine applications with AppArmor in Tails -- thanks to our
"upstream first!" way of doing things, we're benefiting from the
above work done in Debian (almost) for free. On our feature/apparmor
branch, Tor, Vidalia, Totem, Evince and Pidgin are confined with
profiles that come straight from Debian, modulo some hacks I had to
do to support Live systems. Next thing to do: make sure it works
with persistence too. I'll try hard to have this ready in time for
Tails 1.2.
- Sandbox the browser -- I'm now the de-facto maintainer for the
AppArmor profiles shipped in upstream torbrowser-launcher, so let's
say I now have a pretty good starting point and knowledge of the
problem. I'm pretty sure I can use the same tricks I used for the
other profiles mentioned above, to adapt these Tor browser profiles
for sandboxing our browser. I doubt I'll be able to complete that
for Tails 1.2.
On the one hand, the next major release is in February (!), so well,
maybe I really should get this ready for 1.2 anyway. On the other
hand, maybe giving AppArmor a try on Tails with a bit less hairy
profiles, to start with, would be more reasonable.
Advice is welcome.
Note: if AppArmor doesn't work out well for this specific task, my
backup plan is to use Linux containers + xpra. I've been nagging the
Subgraph folks into sharing their tricks in this area, and they tell
me they'll be able to give me something in 2 weeks. This backup plan
can possibly be implemented for Tails 1.3, but definitely not
earlier. Also note that it's not necessarily either/or: we can
probably use both AppArmor *and* Linux containers, although this may
require a bit too many hard to maintain hacks for my taste.
So, all in all, this stuff in good way to be shipped partly in
Tails 1.2, and entirely in Tails 1.3.
Thoughts, opinions, advice?
(Oh, and you're more than welcome to start testing the
feature/apparmor branch right now :)
Cheers,
--
intrigeri
