New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
porting upstream profiles to apparmor.d? #250
Comments
I am considering sdwdate to be upstream. Similar I would consider lets say a Firefox profile as part of firefox-esr Debian package to be maintained by upstream. (Either because Mozilla supports it or because the Debian Maintainer added it.) What's the plan for apparmor.d? Should the example Firefox profile be removed from firefox-esr and added to apparmor.d instead? That seems non-intuitive. It's my understanding that:
Unless I am missing something, I think the sdwdate profile should stay with sdwdate. Since it's enabled by default, if changes are required, I am going to notice them and apply the changes. But if it was in apparmor.d then I'd need to send a PR here and upgrade two packages. More overhead. So my first reaction is to say to not move the sdwdate profile to apparmor.d the same way maintainers of firefox-esr package would probably not move their apparmor profile to apparmor.d. On the other hand, I'd very much like to see a review, hardening of any apparmor profiles by Kicksecure, Whonix but I don't think this requires moving them to another package. Also the ownership transfer from one package to another is quite difficult to avoid an APT package manager conflict as two packages might attempt to own the very same file during upgrades. |
Yes absolutely. My suggestion was, if there was no profile for this, we would need to add one.
A missing profile would break whonix because we intent to use the full policy. I assume for example that sdwdate needs the capability to change the clock, which the full system policy does not grant. If it does not have a dedicated profile, it will default to running under the full-policy, which would prevent it from functioning. If all the whonix utilities and applications are covered with dedicated apparmor profiles, then there is nothing to be worried about. But if there are some, those might need profiles to not break, unless they already require too little privileges that they can run under the full-policy. Especially in Qubes, I suspect that there might be processes/services that run with no apparmor profiles, that might break when running under the restrictive full-policy. But even those might be covered within the vast number of profiles in this project. But I can't tell without testing, and I unfortunately can't test this. If there are any custom/specific processes that require more capabilities, we would need to create profiles for them, which should not be too hard. |
I had a similar discussion with some people from canonical last week. At the moment there is no definitive answer to this question. A (not exhaustive) list of point to consider:
Sure, I can have a look at them, no need to transfer them. |
Right. Its systemd unit file grants the capability. It has a dedicated apparmor profile.
No way to know without testing and seeing what breaks.
That is for sure.
Once some major milestone was reached (for example Kicksecure or Whonix) (non-Qubes) bootable with full apparmor profile, I have some ideas for this. (Run in Qubes in AppArmor permissive mode a share logs would help? Would a CI server help? Maybe can be set up. Maybe Qubes can help. They already run Qubes OpenQA and any logs etc can be made available. Lack of hardware? Can be monetarily donated. But let's discuss this at a later time to not rush ahead.) |
Alright. Going for this. So my original question has been resolved.
Excellent! |
@monsieuremre commented on 58b5773 yesterday
The text was updated successfully, but these errors were encountered: