AppArmor work for Natty

Registered by Kees Cook on 2010-10-21

Discussion of AppArmor plans during the Natty cycle.

Blueprint information

Status:
Complete
Approver:
Kees Cook
Priority:
Medium
Drafter:
Steve Beattie
Direction:
Approved
Assignee:
Jamie Strandboge
Definition:
Approved
Series goal:
Accepted for natty
Implementation:
Implemented
Milestone target:
milestone icon ubuntu-11.04
Started by
Jamie Strandboge on 2010-11-17
Completed by
Jamie Strandboge on 2012-10-01

Related branches

Sprints

Whiteboard

Work items:
[jdstrand] clean up wiki documentation: DONE
[jdstrand] write pam_apparmor tutorial and add to the wiki: DONE
[jdstrand] write mod_apparmor page and add to the wiki: DONE
[jdstrand] write mod_apparmor tutorial and add to the wiki: DONE
[jdstrand] write libvirt/apparmor documentation and add to the wiki: DONE
[jdstrand] update techdoc: POSTPONED
[jdstrand] update man pages (LP: #592159): DONE
[jdstrand] patch dbus to enforce apparmor mediation during message passing: POSTPONED
[jdstrand] profile for dbus: POSTPONED
[jdstrand] investigate profile for telepathy backend: DONE
[jdstrand] send Ubuntu profile delta upstream: DONE
[jdstrand] update initscripts to not unload libvirt dynamic profiles (bug #702774): DONE
[jjohansen] Merge in parser cleanups: DONE
[jjohansen] Reduce dfa creation memory use: DONE
[jjohansen] IPC introspection interface to be used by dbus: POSTPONED
[kees] apparmor v2.6/3 integration into natty: DONE
[jdstrand] write aa-disable: DONE
[jdstrand] update/add networking regression tests (q-r-t): DONE
[kees] discuss/implement how to do per-service AA profile loading via upstart: DONE
[kees] update packaging: DONE
[micahg] create debconf configuration for browser plugins: POSTPONED
[kees] move cache to /lib/apparmor/cache: POSTPONED
[sbeattie] fix python library bindings: DONE
[sbeattie] remove old crufty log parsing: DONE
[sbeattie] implement change_profile pam_apparmor: POSTPONED
[sbeattie] single tarball build tree: POSTPONED
[sbeattie] upstream initscript cleanups: INPROGRESS
[jdstrand] make aa-logprof aware of tunables (including .d style tunables (maybe jesse?)): POSTPONED
[jdstrand] make aa-logprof aware of binary globbing for executable: POSTPONED
[jdstrand] update tools for alias support (investigate what they do now and go from there): POSTPONED
[jjohansen] update/add networking unit tests (upstream): POSTPONED
[sbeattie] apparmor v2.6/3 Release: DONE
[jdstrand] further investigation of apparmor XACE integration: POSTPONED
[jdstrand] apparmor integration into lxc containers, so that containers get a namespace and their own profile set: POSTPONED
[jdstrand] update initscripts to use/respect a generalized dynamic profile flag, rather than special-casing libvirt, et al: POSTPONED
[jdstrand] update tools to handle v3 format (once v3 is finalized): POSTPONED
[jdstrand] test mixed v2, v3 policy (once v3 is finalized): POSTPONED
[jdstrand] update natty policy for v3 format (once v3 is finalized): POSTPONED
[jjohansen] Kernel side IPC for use with dbus: POSTPONED
[jjohansen] update parser to allow for profile name separate from attachment specification: POSTPONED
[jjohansen] update parser to allow for a profile to have multiple attachment specifications: POSTPONED
[jjohansen] Finish dfa dominance for exec rules: POSTPONED
[jjohansen] update parser for v3 dfa format: POSTPONED
[jjohansen] update kernel for v3 dfa format: POSTPONED
[jjohansen] parser v3 policy compat on v2 kernel: POSTPONED
[jjohansen] parser control for forcing dfa type generated: POSTPONED
[jjohansen] userspace dfa execution engine, that can be used in regression tests: POSTPONED
[jjohansen] userspace dfa unpack and verification engine: POSTPONED
[jjohansen] expose extend conditionals to policy: POSTPONED
[jjohansen] upstream updated level 1 networking (socket labeling and rules): POSTPONED
[jjohansen] upstream updated level 2 networking (basic packet labeling via secmark + manual iptables): POSTPONED
[jjohansen] upstream new kernel introspection interface: POSTPONED
[jjohansen] flag inidicating profile is dynamic: POSTPONED
[jjohansen] base ioctl control for control of btrfs snapshots: POSTPONED
[jjohansen] conditional rule based on fstype for btrfs snapshot mediation: POSTPONED
[jjohansen] alias snapshot perm to ioctl control for btrfs snapshot mediation: POSTPONED
[jjohansen] extended permissions: POSTPONED
[jjohansen] update compatibility patches for 2.6.38 version of AppArmor: POSTPONED
[jjohansen] reintroduce exec time revalidation and evaluate exec overhead: POSTPONED
[jjohansen] kernel learning interface that doesn't spam logs to ease crowdsourcing: POSTPONED
[jjohansen] abstraction analysis tool: POSTPONED
[jjohansen] start upstream discussion on standard kernel interface for snapshots: POSTPONED
[jjohansen] parser config file to allow controlling default parser flags: POSTPONED
[jjohansen] negative alternation matching {*^foo,bar}: POSTPONED
[jjohansen] dynamic kernel vars (proc, tid, pid): POSTPONED
[jjohansen] expose kill rules to policy: POSTPONED
[jdstrand] modify user tools to get logs directly from the kernel (once support in kernel exists): POSTPONED
[kees] investigate squid apparmor profile for natty: POSTPONED

Future work items:
[micahg] create debconf configuration for browser plugins: TODO
[kees] move cache to /lib/apparmor/cache: TODO
[sbeattie] remove old crufty log parsing: TODO
[sbeattie] implement change_profile pam_apparmor: TODO
[sbeattie] single tarball build tree: TODO
[sbeattie] upstream initscript cleanups: TODO
[jdstrand] make aa-logprof aware of tunables (including .d style tunables (maybe jesse?)): TODO
[jdstrand] make aa-logprof aware of binary globbing for executable: TODO
[jdstrand] update tools for alias support (investigate what they do now and go from there): TODO
[jjohansen] update/add networking unit tests (upstream): TODO
[sbeattie] apparmor v2.6/3 Release: TODO
[jdstrand] further investigation of apparmor XACE integration: TODO
[jdstrand] apparmor integration into lxc containers, so that containers get a namespace and their own profile set: TODO
[jdstrand] update initscripts to use/respect dynamic profile flag (libvirt): TODO
[jdstrand] update tools to handle v3 format (once v3 is finalized): TODO
[jdstrand] test mixed v2, v3 policy (once v3 is finalized): TODO
[jdstrand] update natty policy for v3 format (once v3 is finalized): TODO
[jjohansen] Kernel side IPC for use with dbus: TODO
[jjohansen] update parser to allow for profile name separate from attachment specification: TODO
[jjohansen] update parser to allow for a profile to have multiple attachment specifications: TODO
[jjohansen] Finish dfa dominance for exec rules: TODO
[jjohansen] update parser for v3 dfa format: TODO
[jjohansen] update kernel for v3 dfa format: TODO
[jjohansen] parser v3 policy compat on v2 kernel: TODO
[jjohansen] parser control for forcing dfa type generated: TODO
[jjohansen] userspace dfa execution engine, that can be used in regression tests: TODO
[jjohansen] userspace dfa unpack and verification engine: TODO
[jjohansen] expose extend conditionals to policy: TODO
[jjohansen] upstream updated level 1 networking (socket labeling and rules): TODO
[jjohansen] upstream updated level 2 networking (basic packet labeling via secmark + manual iptables): TODO
[jjohansen] upstream new kernel introspection interface: TODO
[jjohansen] flag inidicating profile is dynamic: TODO
[jjohansen] base ioctl control for control of btrfs snapshots: TODO
[jjohansen] conditional rule based on fstype for btrfs snapshot mediation: TODO
[jjohansen] alias snapshot perm to ioctl control for btrfs snapshot mediation: TODO
[jjohansen] extended permissions: TODO
[jjohansen] update compatibility patches for 2.6.38 version of AppArmor: TODO
[jjohansen] reintroduce exec time revalidation and evaluate exec overhead: TODO
[jjohansen] kernel learning interface that doesn't spam logs to ease crowdsourcing: TODO
[jjohansen] abstraction analysis tool: TODO
[jjohansen] start upstream discussion on standard kernel interface for snapshots: TODO
[jjohansen] parser config file to allow controlling default parser flags: TODO
[jjohansen] negative alternation matching {*^foo,bar}: TODO
[jjohansen] dynamic kernel vars (proc, tid, pid): TODO
[jjohansen] expose kill rules to policy: TODO
[jdstrand] modify user tools to get logs directly from the kernel (once support in kernel exists): TODO
[kees] investigate squid apparmor profile for natty: TODO

= Going Forward =
 * https://apparmor.wiki.kernel.org/index.php/DevelopmentRoadmap
 * What to get upstream 2.6.38:
  * get both network mediation and compatibility patches upstream. not ready for 2.6.37
  * networking will be expanded to have a more complete mediation. 3 stages:
   * level 1: what we had plus ports and other fine grained controls (need this in 2.6.38)
   * level 2: manual secmark rules (hoped in 2.6.38). need to be careful about labelling so people don't use the intended labelling in their manual rules for migration
   * level 3: auto add of secmark rules (2.6.39 or later)
 * Network rules:
   * we will treat other iptables rules like DAC
 * btrfs snapshots
    * btrfs snapshot ioctl appears to pass the destination directory as the fd argument to the ioctl()
  * level 1: yes/no (needed for 2.6.38 and natty)
  * level 2: snapshot src or snapshot dst
  * level 3: snapshot from src to dst
 * policy on different kernels
  * should be able to load old policy on new kernel (fine as is)
  * should be able to load new policy on old kernel, but drop stuff it doesn't recognize (todo)
  * old parser on newer kernel (tools should notify in some way that the kernel supports newer features)
 * upstream initscripts need some work
 * Wiki: write tutorials and other documentation
  * https://apparmor.wiki.kernel.org/index.php/WorkItems#Documentation

Prioritized TODO list:
[ACTION] jj: get the compatibility patches into natty - High - should be next week
[ACTION] jj: level 1 btrfs for natty (patch sent up for review very soon and then iterated) - High
[ACTION] jj: level 2 btrfs for natty (should be small after the first is sent up) - Medium
[ACTION] jj: level 1 network mediation - Medium (we have a compat patch in the meanwhile)
[ACTION] jj: send up his thoughts to the ml - Low - (we have a compat patch in the meanwhile)
[ACTION] all: discuss and spec out sysfs hiearchy in the wiki
[ACTION] jj, kees: sysfs introspection
[ACTION] jj: fix kernel so that it will drop policy compiled on a newer kernel for which it doesn't understand(currently network, capabilities, rlimits)
[ACTION] sbeattie: make sure upstream initscripts are ok
[ACTION] sbeattie: clean out super-crufty, old log parsing stuff

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.