Differences between revisions 158 and 159
Revision 158 as of 2015-08-14 09:33:50
Size: 9813
Editor: ?IntRigeri
Comment: Update status and plans.
Revision 159 as of 2017-03-18 15:27:38
Size: 9835
Editor: UlrikeUhlig
Comment: add icedove/thunderbird
Deletions are marked like this. Additions are marked like this.
Line 51: Line 51:
 * DebianPts:icedove

This page tracks progress of adding AppArmor profiles to Debian.


For Stretch, we'd like more enforced profiles; specifically (in decreasing order of priority):

  1. some of the Usual Suspects™ on the Desktop: evince, isc-dhcp-client, pidgin;
  2. some software that is particularly important in the context of Tails and other privacy-sensitive contexts: Tor;
  3. some low-hanging fruits from Ubuntu's Supported profiles in main list: apache2, libvirt, ntp...

The general workflow wrt. profiles is to find existing profiles, test them in the context of Debian sid, adapt them if needed, and either include them into apparmor-profiles-extra, or propose them to Debian package maintainers.

At some point, it would be great to share the profiles maintenance e.g. with Ubuntu.

In progress

Profiles being worked on

Pending maintainer upload

Pending upload of apparmor-profiles-extra

Wishlist bug filed

To be done

  • Supported profiles in Ubuntu main => import into apparmor-profiles-extra, unless the respective maintainers want to take it into their package. Maybe start with the high-profile services like Apache, OpenLDAP.

  • rsyslog

  • Help get more profiles into good shape, so that they can be integrated upstream or into apparmor-profiles-extra. The Ubuntu security team roadmap tells a bit about their priority, and the current status of profiles under development.

  • Integrate with systemd by: systemd v210+, which has a ApparmorProfile= option, or ship upstart's /lib/init/apparmor-profile-load as an apparmor helper script and call it in systemd's ExecPreStart= (note that we removed the dependency on remote_fs from the initscript)

Done (for Jessie, at least)

Included in the corresponding package

Included in the apparmor-profiles package

The Community supported profiles are included in the apparmor-profiles package in complain mode.

Included in the apparmor-profiles-extra package

OutreachProgram Round 9

During the OutreachProgramForWomen, we will work on improving AppArmor support in Debian. You can follow up on progress here and on the dedicated blog.


Week1 Dec 9th - Dec 15th, 2014

Week2 & 3 Dec 16th - Dec 30th, 2014

Week4 Dec 31st - Jan 06th, 2015

  • import my upstream bugfixes on pidgin-blinkight to the apparmor-profiles-extra package through Git

  • roughly document how to contribute to the upstream profiles

  • set up user stories in order to define the usertags we need, so Debian users and maintainers know how we (want them to) use tags

Week5 & 6 Jan 07th - Jan 20th, 2015

  • fix out of sync README.Debian in apparmor-profiles-extra pkg

  • import How to contribute to Upstream doc to Debian Wiki: AppArmor/ContributeUpstream

  • Finish writing user stories

  • Ask for review of user stories and usertags on pkg-apparmor-team@l.a.d.o

  • Wait for review of usertag RFC

  • Re-elaborate User Stories based on review

  • Wait for new review of ?UserStories and ?UserTags

  • fix pidgin profile (see email by intrigeri) about prefs.xml

  • Add "import profile" documentation to wiki AppArmor/Contribute/Import

  • See Craig's mails (psmisc maintainer) to review the process doc 771978

Week7 & 8 Jan 21st - Feb 3rd, 2015

  • File a wishlist bug against bugs.debian.org for push/pull notifications for usertags, this is now 776587

  • Move debugging documentation to its own page

  • Add d.w.o documentation as a link to http://wiki.apparmor.net/index.php/Distro_debian (was there already)

  • Discuss & document when "Suggests: apparmor" needs to have a version number or Breaks:

  • move user stories to dedicated page AppArmor/UserStories

  • link User stories from the Tools section on AA/Contribute

  • Follow-up on new-profile tagged bugs

  • Found a small bug in aa-unconfined which has been patched by upstream devs, filed as 777034

  • Work on AppArmor/Debug and AppArmor/Reportbug

  • Work on wiki documentation navigation: make pages easy to access and things easy to find

Week9 & 10 Feb 4th - Feb 17th, 2015

Week11 - 13 Feb 18th - Mar 9th, 2015

  • Document branch name for contributing to upstream bzr repository on blog post / how to contribute to upstream doc

  • create list of package maintainers who already ship AppArmor profiles.

  • Contact package maintainers who already ship AppArmor profiles. Tell them how to contact the Debian AppArmor packaging team if they experience problems or have any questions. Draft, maintainer list

  • Check udd script with pylint => done but ignored some bits

  • import my upstream bugfixes on pidgin-prefs to the apparmor-profiles-extra package through Git

  • Host udd.py script on Alioth in a git repository which is editable by the team: https://alioth.debian.org/scm/browser.php?group_id=100952)--

  • --(Write a final report

  • Once the usertags are defined, announce workflow on blog and debian-devel-announce Draft. Only debian members can post to d-d-a. This should be done on monday 9th march 2015. Requested that the mentors use the draft.

After the internship

OPW Coordination meetings

Meetings take place on irc.oftc.net and are recorded by MeetBot.