[Tails-dev] AppArmor in Live systems, state of the union

Delete this message

Reply to this message
Autor: intrigeri
Data:  
Dla: AppArmor dev list
CC: freepto, tails-dev
Temat: [Tails-dev] AppArmor in Live systems, state of the union
Hi folks,

[Cc'ing my fellow Tails developers, and also the Freepto ones who
might be interested.]

I'm super happy to tell you that we've now released Tails 1.2,
finally with some minimal AppArmor support! :)

Our implementation is described on
https://tails.boum.org/contribute/design/application_isolation/

We finally didn't take the alias rules way, and instead added some
ad-hoc kludges: see the "Hacks to support the Live system usecase"
section. Comments about these hacks are more than welcome. We also
added some minimal automated tests to validate the behavior of shipped
profiles, both with and without persistence enabled.

As you can see in the "Using aliases rules to avoid modifying
profiles" section, there's a whole bunch of problems that would make
alias rules difficult for us to use, even once John's bugfixes land.
So, while it's probably a good idea to fix known bugs in alias rules,
it's probably not worth it to do so just to help Live systems.
I figured it would be nice to let you know that :)

Regarding using rewrite rules instead, as explained in "Using rewrite
rules to avoid modifying profiles", I've not tried it yet, but
I suspect it won't work so well for us either.

Long-term, I'm now putting more hope into overlayfs than in alias or
rewrite rules. However, one should check first whether overlayfs
supports stacking up more than one read-only branch, as we do need
this for the Tails incremental upgrades feature.

Thanks everyone for you work and support!

(And yes, "union" is a double-pun in the subject, as we're speaking of
union filesystems, and some of the problems come from how union works
in the AppArmor language grammar :)

Cheers,
--
intrigeri