[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [opensuse-security] Apparmor suggestion to include more profiles


Am Dienstag, 31. Mai 2016, 02:51:11 CEST schrieb Malte Gell:
> Am 29.05.2016 um 15:37 schrieb Jean-Christophe Baptiste:
> > It is a nice thing that openSUSE includes apparmor by default. I
> > started to play with it on Leap 42.1.
> > 
> > However, I feel it is a little short in term of profiles for the
> > desktop (all profiles are server oriented).> 
> >  (.....)
> You´re right, SUSE never came with many really useful AA profiles.
> On the other hand, in my mind you always need to change AA profiles to
> meet your demands.

Did you also need any changes in the profiles that are enabled by 
default? If so, please tell me - in many (not all) cases I consider this 
to be a bug in the profile ;-)

> I took profiles for Firefox and Thunderbird from the web and adapted
> them for my needs. For other apps I created profiles from scratch.
> I think no profiles may fit to your needs, you virtually always need
> to change them.

Well, at least if you want them as strict as possible.

> I suggest to create a new folder /etc/apparmor.d/templates and
> openSUSE puts all new profiles there and the user can enable them on
> demand.

There is /usr/share/apparmor/extra-profiles/ with several profiles, but 
because nearly nobody uses them, they are mostly bitrotting :-( so 
please don't expect too much.

The profiles from there should in theory be proposed when you start a new 
profile with aa-genprof - but I just noticed this is broken :-(

I sent a fix for this upstream, so this will be fixed in the next AppArmor 
releases (2.9.4, 2.10.2 and 2.11, whenever they'll get released, will 
contain the fix).
If you want to fix this yourself, feel free to grab the patch from 
https://lists.ubuntu.com/archives/apparmor/2016-June/009748.html ;-)

> Another good idea would be, if you have created some profiles, post
> them here, so other users can make use of them.
> There should be a SUSE Wiki where we can post our custom made
> profiles.

I agree that it would be good to have a place where profiles can be 
shared, but I'm not sure if the wiki is a good place. The problem I see 
is that the wiki makes it too easy to do malicious modifications to a 

There are plans to setup a cross-distribution repo for profiles 
(I discussed this with some Debian people at last year's DebConf, and if 
we are lucky, they'll work on it at DebConf this year. Please don't take 
this as a promise - I reminded them about the repo, but I don't have an 
answer yet.)

Until this repo is available, posting profiles to this mailinglist sounds 
good to me. 

If it turns out that the list gets flooded by AppArmor profiles, we'll 
need to search for a different solution, but that would be a luxery 
problem ;-)


Christian Boltz
> Can we agree to disagree, or do we need to vote in the
> next meeting? ;-)
Wait, you want to start a discussion on which voting system
(http://en.wikipedia.org/wiki/Voting_system) to use? :)
[> Christian Boltz and Steve Beattie in apparmor]

To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-security+owner@xxxxxxxxxxxx