Attendees: u, Ximin, Guido, Alan, mesutcang, nicoo, jerith Status, updates and plans ========================= team ---- * still active: Felix, intrigeri, u * new active member: nicoo * h01ger left * kees inactive userspace --------- apparmor source package in Debian. upstream - Canonical kernel ------ AppArmor support in the kernel: Generally, we rely on mainline Debian's kernel and upstream who works in the canonical Linux kernel. This means we lack some support: * dbus calls mediation * mount rules / containers In Debian * we have mandatory access control * POSIX Support in mainline policy ------ Policy done in Debian. Some is on the apparmor-profiles-extra package. Other profiles shipped in the respective packages. Cross-distro ------------ Git repository layout which is still in the notes of intrigeri from Debconf15. Upstream just converted their repository to Git. TODO ---- * does it make sense to ship profiles in the package only if upstream ships it or if it does not then we ship it in the upstream repo. Testing: * how do we test? do we have scripts? * proposal: check if aa is enabled and then try to fetch violations? * idea of bugscript: we ship the script inside of the apparmor package. maintainers can add if $script exists, source $script. maybe this could add a usertag too? nicoo would like to look into it. => todo create bugreport with nicoo in cc. Icedove: better ship this before the freeze. Debugging: * Add things to "man apparmor" and AppArmor upstream wiki from John Johansen https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=826218 :u: * Click on an URL in the aa-notify window for maintainers and/or non-technical users to debug? Tasks for starters: * https://udd.debian.org/cgi-bin/bts-usertags.cgi?tag=new-profile&user=pkg-apparmor-team%40lists.alioth.debian.org Next big(ger) goals =================== Candidates: * desktop notifications Broken policy: - apparmor-notify package gives users visual feedback. main blocker is that currently only root can read auditd logs. auditd maintainers should chmod the logs to adm, because we don't want to run auditd as root. Ximin: redirect to a different user. :nicoo: patch auditd for proper permissions. * enabled by default * enabled when the apparmor package is installed We cannot count on Upstream to do the work for Wayland, because they won't yet ship Wayland. For Stretch we are good. Blockers for getting aa enabled by default ------------------------------------------ * more people should use it, maybe we can enable it during a BoF? * We need some sort of marketing speech for maintainers to tell them what this means and what they are risking. * Gather data and build argument around that? popcon? tails? - measure if the aa policy we ship has had an effect on issues in the past, did it work? (example Pidgin or pdf readers.) - it would make it easier for the security team to flag no DSA * make it easier to enable it by default - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702030 :nicoo:alan: * what about having a package with working profiles and half buggy profiles (in complain mode) instead of the current apparmor-profiles some of which don't work - some of those half working should move to /usr/share/doc/apparmor/examples :intrigeri: * start a discussion to enable it by default right after stretch is released. * don't forget the server usecase * don't forget libvirt * RC Scripts could be made much simpler - help is welcome. * encode in policy how to use dh-apparmor :intrigeri: * hardening: lintian warning if setuid=1 or if you ship a service file. e.g. "you seem to xyz, but there is no apparmor profile enabled" - maybe use the bugscript to do this. :nicoo: AppStores/DMGs -------------- Flatpack/Redhat/SELinux, UbuntuSnap/AppArmor (sandboxing), this makes it less obvious to make a choice for Debian. Shipping aa by default, people who will want to use flatpack, will not be able to do it. Mailinglist ----------- pkg-apparmor-team@lists.alioth.debian.org