HardyAppArmor

Revision 4 as of 2007-10-31 16:59:22

Clear message

Please check the status of this specification in Launchpad before editing it. If it is Approved, contact the Assignee or another knowledgeable person before making changes.

  • Launchpad Entry: apparmor-integration

  • Packages affected: apparmor*, libapparmor, * (any package with a profile)

Summary

Improve AppArmor usability and integration by improving profile integration in packages and providing GUI tools for monitoring and configuring AppArmor.

Release Note

Rationale

easily config AppArmor

easily interact with AppArmor

package management and upgrades Fred is trying to upgrade a package but is getting conflicts because he changed the enforcement mode of a profile.

Use Cases

Bob wants to configure AppArmor modifying which profiles are enabled or enforcing policy.

Alice wants to immediately know when a program violates AppArmor policy. Allowing her to investigate violations in a timely fashion or even correlate violations with an application failure she is experiencing.

Assumptions

Design

core apparmor updates to apparmor

policy storage dpkg macros - variables in policy, profile dependency issues

GUI config tool, dispatcher, applet

Choose between security module

integrate with auditd

integrate with apport - python parsing library bindings

enable pam_apparmor

profiles layout

Implementation

This section should describe a plan of action (the "how") to implement the changes discussed. Could include subsections like:

UI Changes

Inclusion of AppArmor applet to allow monitoring apparmor events from the desktop.

A new Preference UI for configuring which AppArmor profiles are are enabled.

Code Changes

Code changes should include an overview of what needs to change, and in some cases even the specific details.

Migration

Test/Demo Plan

Outstanding Issues

BoF agenda and discussion

  • Upstream will have a stable release for Hardy largely similar to the version in Gutsy
  • Getting auditd into main could benefit us
  • Log parsing library should be up to date, may have some problems with parts of old log format in Feisty universe.

[http://developer.novell.com/wiki/index.php/Apparmor_dev_stage AppArmor roadmap]

packages to be integrated - libapparmor? -- libaaparse

- pamarmor - apparmor dbus event dispatcher - apparmor applet

profile layout

profile dependencies

profile enhancements to ease profile development

=== Upstream issues=== VFS changes aren't in yet

CategorySpec