Add "Enabling AppArmor by default?" section
Update goals for Buster.
|Deletions are marked like this.||Additions are marked like this.|
|Line 9:||Line 9:|
|For Stretch, we'd like more enforced profiles; specifically
(in decreasing order of priority):
1. some of the Usual Suspects™ on the Desktop, e.g. isc-dhcp-client, Pidgin;
2. some software that is particularly important in the context of Tails and other privacy-sensitive contexts: Tor;
3. some low-hanging fruits from Ubuntu's [[https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles|Supported profiles in main]] list: apache2, libvirt, ntp...
The general workflow wrt. profiles is to find existing profiles, test them in the context of Debian sid, adapt them if needed, and either include them into apparmor-profiles-extra, or propose them to Debian package maintainers.
At some point, it would be great to share the profiles maintenance e.g. with Ubuntu.
|For Buster, we'd like to enable AppArmor by default and improve the workflow for cross-distro collaborative profiles maintenance.|
|/Contribute /ContributeUpstream /Debug /HowTo /HowToUse /OutReachyRound9 /PackageMaintainers /Progress /Reportbug /Testing /UserStories|
This page tracks progress of adding AppArmor profiles to Debian.
- In progress
- To be done
- Done (for Buster, at least)
- OutreachProgram Round 9
For Buster, we'd like to enable AppArmor by default and improve the workflow for cross-distro collaborative profiles maintenance.
Enabling AppArmor by default?
We are discussing and researching if/how AppArmor should be enabled by default on Debian:
XXX: link to discussion on debian-devel started during ?DebConf17
We could also enable AppArmor directly in the kernel with CONFIG_DEFAULT_SECURITY="apparmor" and CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
Profiles being worked on
Pending maintainer upload
Pending upload of apparmor-profiles-extra
Wishlist bug filed
See the bugs tagged "new-profile".
bugs.debian.org: Enable push/pull notifications for usertags 776587
To be done
Supported profiles in Ubuntu main => import into apparmor-profiles-extra, unless the respective maintainers want to take it into their package. Maybe start with the high-profile services like Apache, OpenLDAP.
Help get more profiles into good shape, so that they can be integrated upstream or into apparmor-profiles-extra. The Ubuntu security team roadmap tells a bit about their priority, and the current status of profiles under development.
Done (for Buster, at least)
Included in the corresponding package
Note: this list is partial and somewhat outdated, i.e. the actual situation is better
Included in the apparmor-profiles package
Included in the apparmor-profiles-extra package
See the current list of profiles in Git.