Apparmor for charms not explained

[jhobbs]

The Charm Store Policy at https://juju.ubuntu.com/docs/authors-charm-policy.html says:

"Should make use of AppArmor to increase security."

It would be nice to provide documentation about how charms should handle apparmor. I believe this is usually handled at the package level, but not all packages will have it, and some charms may not install using packages.

[jhobbs]

Some IRC chat about it from #juju@freenode:

20:41 < arosales> Policy states, "Should make use of AppArmor to increase security."
20:41 < arosales> https://jujucharms.com/docs/authors-charm-policy
20:41 < arosales> But we don't make any references to how this can be accomplished in the charm, and we unfortunately don't have any good examples.
20:42 < arosales> I am a +1 for security, but how do we enforce this or if a user says, "Great how do I do this" what is the answer?
20:42 * arosales ends question
20:43 < sarnold> hey arosales :) there's a handful of policies in /etc/apparmor.d/ on most ubuntu systems that can serve as a too-quick introduction to apparmor
20:44 < arosales> sarnold: hello :-)
20:44 < sarnold> arosales: jdstrand has a series of short-and-sweet blog posts about apparmor that are a decent enough introduction, too, https://penguindroppings.wordpress.com/2014/06/06/application-isolation-with-apparmor-part-iv/
20:44 < arosales> Perhaps the right answer here is to reach out to the ubuntu security team and formulate some examples in the docs
20:45 < sarnold> arosales: one thing that I'd love to see in juju charms is making use of the relation information to help create flexible policies
20:45 < mbruzek> arosales: This policy predates me, but I have not seen a charm using apparmor. I suspect someone knows how to do that
20:45 < arosales> sarnold: do you feel this is handled inside the app, or are there extra measure the charm should be taking?
20:45 < sarnold> arosales: it depends; e.g., installing mysql from the archive will automatically get the packaged apparmor policies installed
20:46 < mbruzek> good point sarnold
20:46 < arosales> good point, but others may not . . .
20:46 < sarnold> arosales: but if you're creating a charm for software that doesn't already supply its own policy, you could bundle it alongside the charm, drop it into /etc/apparmor.d/, and .. waves hands about making sure it's loaded
before the service is started
20:47 < sarnold> arosales: one complicating factor is that apparmor policies currently can't be nested; the local provider uses LXC, which uses apparmor to enforce some of its policies. so, local deployed charms wouldn't be able to use
their own policy. (this is being addressed but probably won't be ready for many months.)
20:49 < sarnold> arosales: jdstrand and sbeattie also put together an apparmor "policy template" language, apparmor-easyprof, that might be a suitable starting place for charm authors to smack out some quick template-based policies --
which might be useful for tuning them based on configurations
20:49 < arosales> interesting re lxc, didn't think of that
20:50 < sarnold> I think the mysql init stuff may have mechanisms in place to cope, I haven't looked in ages.
20:50 < arosales> sarnold: do you have a link to the "policy template" lauguage?
20:51 < arosales> sarnold: do you know of any issues with xen or kvm in app armour policies?
20:51 < sarnold> arosales: hrm, I'm having trouble finding links to apparmor-easyprof examples; it's used a bit with snap / click packaging but those tools aren't exactly easy to learn from
20:52 < lazyPower> arosales: i agree that we need to get documentation around this or link to the proper docs in our charming series docs
20:52 < sarnold> arosales: xen / kvm should work just fine; libvirtd does have apparmor policies confining portions of the systems (e.g. shared host/guest filesystems sometimes have trouble, and need extended policies) -- but the
kvm-emulated machine or xen-emulated machine get their own apparmor policies no trouble
20:52 < lazyPower> arosales: what may be a good starting poitn would be to get a charm school video about security enhnacement with apparmor profiles on a simple charm - like pick the day1 charm and put in some nginx app armor policies
20:53 < lazyPower> however app armor itself is a beast of a topic and goes into a broad range of things as sarnold has pointed out
20:54 < arosales> lazyPower: ya I think at a min we need some docs to point users on how to accomplish this
20:55 < lazyPower> arosales: i have a marching order over this next week to get some visualizations done for my slides / video over charm relationships - i can add an addendum to that for app armor as a follow up task.
20:55 < arosales> sarnold: thanks for the input here, much appreciated
20:55 < sarnold> the policies are easy enough; the hard part is tying them together to handle e.g. running under lxc, getting them loaded before programs start, etc..
20:56 < lazyPower> i've ran into some really good articles that we - being juju charmers, are not warehousing, but i can distill that info into a digestible doc for starting out with app armor and link to the app armor community documentation which goes into further depth how to write them
20:56 < arosales> lazyPower: if you have some time to start some docs on apparmor that wold be helpful

[AdamIsrael]

The new link for this issue is: https://jujucharms.com/docs/2.2/authors-charm-policy

The explanation of how to use AppArmor is still vague, and could use some clarification.