|/Contribute /ContributeUpstream /Debug /HowTo /HowToUse /PackageMaintainers /Progress /Reportbug /Testing /UserStories|
This page tracks progress of adding AppArmor profiles to Debian.
- In progress
- To be done
- Done (for Jessie, at least)
- OutreachProgram Round 9
For Jessie, we'd like more enforced profiles; specifically (in decreasing order of priority):
- some of the Usual Suspects™ on the Desktop: evince, iceweasel, isc-dhcp-client, pidgin;
- some software that is particularly important in the context of Tails and other privacy-sensitive contexts: Tor, Vidalia;
some low-hanging fruits from Ubuntu's Supported profiles in main list: apache2, libvirt, ntp...
The general workflow wrt. profiles is to find existing profiles, test them in the context of Debian sid, adapt them if needed, and either include them into apparmor-profiles-extra, or propose them to Debian package maintainers.
At some point, it would be great to share the profiles maintenance e.g. with Ubuntu.
Profiles being worked on
Pending maintainer upload
Pending upload of apparmor-profiles-extra
Wishlist bug filed
See the bugs tagged "new-profile".
bugs.debian.org: Enable push/pull notifications for usertags 776587
To be done
Supported profiles in Ubuntu main => import into apparmor-profiles-extra, unless the respective maintainers want to take it into their package. Maybe start with the high-profile services like Apache, OpenLDAP, ClamAV and Bind.
iceweasel => adapt Ubuntu's Firefox profile, or start over from intrigeri's current iceweasel profile
isc-dhcp-client => profile needs to be loaded before the network is up => see systemd item below
rsyslog => profile needs to be loaded before the service is started => see systemd item below
Help get more profiles into good shape, so that they can be integrated upstream or into apparmor-profiles-extra. The Ubuntu security team roadmap tells a bit about their priority, and the current status of profiles under development.
Integrate with systemd by: waiting for systemd v210+, which has a ApparmorProfile= option, or ship upstart's /lib/init/apparmor-profile-load as an apparmor helper script and call it in systemd's ExecPreStart=
Done (for Jessie, at least)
Included in the corresponding package
Included in the apparmor-profiles package
Included in the apparmor-profiles-extra package
OutreachProgram Round 9
Week1 Dec 9th - Dec 15th, 2014
Set up test environment and test different profiles
Read usertags documentation https://wiki.debian.org/bugs.debian.org/UserTags
Try to fix problematic profiles upstream: worked on Pidgin Blinklight https://code.launchpad.net/~u-d/apparmor-profiles/pidgin-blinklight/+merge/244582
Week2 & 3 Dec 16th - Dec 30th, 2014
explain upstream - Debian relationship
Week4 Dec 31st - Jan 06th, 2015
import my upstream bugfixes on pidgin-blinkight to the apparmor-profiles-extra package through Git
roughly document how to contribute to the upstream profiles
set up user stories in order to define the usertags we need, so Debian users and maintainers know how we (want them to) use tags
Week5 & 6 Jan 07th - Jan 20th, 2015
fix out of sync README.Debian in apparmor-profiles-extra pkg
import How to contribute to Upstream doc to Debian Wiki: AppArmor/ContributeUpstream
Finish writing user stories
Ask for review of user stories and usertags on firstname.lastname@example.org
Wait for review of usertag RFC
Re-elaborate User Stories based on review
fix pidgin profile (see email by intrigeri) about prefs.xml
Add "import profile" documentation to wiki AppArmor/Contribute/Import
Week7 & 8 Jan 21st - Feb 3rd, 2015
File a wishlist bug against bugs.debian.org for push/pull notifications for usertags, this is now 776587
Move debugging documentation to its own page
Add d.w.o documentation as a link to http://wiki.apparmor.net/index.php/Distro_debian (was there already)
Discuss & document when "Suggests: apparmor" needs to have a version number or Breaks:
move user stories to dedicated page AppArmor/UserStories
link User stories from the Tools section on AA/Contribute
Follow-up on new-profile tagged bugs
Found a small bug in aa-unconfined which has been patched by upstream devs, filed as 777034
Work on AppArmor/Debug and AppArmor/Reportbug
Work on wiki documentation navigation: make pages easy to access and things easy to find
Week9 & 10 Feb 4th - Feb 17th, 2015
implement each userstories-derived solution on the corresponding wiki page
finish wiki navigation and ask for review again
Usertag blog post http://apparmor.451f.org/2015/02/11/user-stories-and-user-tags)--
--(Code usertag email notification via UDD and add it as a cronjob on alioth
Week11 - 13 Feb 18th - Mar 9th, 2015
Document branch name for contributing to upstream bzr repository on blog post / how to contribute to upstream doc
create list of package maintainers who already ship AppArmor profiles.
Check udd script with pylint => done but ignored some bits
import my upstream bugfixes on pidgin-prefs to the apparmor-profiles-extra package through Git
Host udd.py script on Alioth in a git repository which is editable by the team: https://alioth.debian.org/scm/browser.php?group_id=100952)--
--(Write a final report
Once the usertags are defined, announce workflow on blog and debian-devel-announce Draft. Only debian members can post to d-d-a. This should be done on monday 9th march 2015. Requested that the mentors use the draft.
After the internship
- Document "Migrate a profile to the package that ships the confined application" on AppArmor/Contribute/ImportProfileFromExtra
OPW Coordination meetings
Meetings take place on irc.oftc.net and are recorded by MeetBot.
- dec 12th 2014, 4pm CET (private place)