[apparmor] UDS wrap-up

John Johansen john.johansen at canonical.com
Mon Nov 5 20:18:16 UTC 2012 

On 11/03/2012 01:54 PM, Christian Boltz wrote:
> Hello,
> 
> Am Samstag, 3. November 2012 schrieb John Johansen:
>> So just a quick wrap-up of what happened at UDS-R.
>>
>> First there are no audio recordings that I know of 
> 
> Can you open a bugreport against UDS, please? That's something that 
> needs to be fixed ;-)
> 
sadly I think it is deliberate but I will take a stab at filing a bug

> That said:
> It seems to become a tradition that I have to provide the recordings ;-) 
> so I finally created a separate directory for them on my homepage.
> You can download them at
>     www.cboltz.de/uds/
> 
thanks again

> I managed to capture most sessions related to AppArmor and confinement 
> except the last session which was rescheduled in the last minute.
> 
it wasn't the only session rescheduled at the last minute, seems to be
a perennial problem at uds. There where at least a couple sessions where
I had checked the schedule and headed to the next room, just to find it
had been rescheduled in the time it took me to walk there.

> I have the following recordings available:
> 
> 2012-10-apparmor-lxc-development-1.ogg
> 2012-10-apparmor-lxc-development-2.ogg
> 2012-10-application-confinement--content-access-helper--cut.ogg
> 2012-10-application-confinement--gnome-keyring-1.ogg
> 2012-10-application-confinement--gnome-keyring-2.ogg
> 2012-10-application-confinement--online-accounts.ogg
> (some recordings are split into two parts, see the -1 and -2)
> 
> This time all recordigns are unedited and include all the noise - but 
> there's less noice compared to the previous UDS, so you can actually 
> understand what was said ;-)
> 
oh, how did we manage that

> 
> Unfortunately someone broke the UDS schedule page
> http://summit.ubuntu.com/uds-r/track/security/
> which means I'm unable to access the pads. 
> 
I sure that will get fixed

> John, can you please paste all session notes into a mail and send them 
> to the mailinglist to have them in the list archive?
> 
sure

> 
> BTW, when speaking about conferences: 
> 
> If you are interested in recordings from the openSUSE conference, 
> http://blip.tv/openSUSEtv and http://www.youtube.com/opensusetv are the 
> places to go. 
> 
> My AppArmor workshop was not recorded ("wrong" room, you probably 
> wouldn't learn something new from it anyway ;-)  but at least I have a 
> photo and the slides on blog.cboltz.de ;-)
> 
well thats a shame I would have still liked to hear/see you give the workshop.
I guess the photo and slides will have to do

>> and I lost access
>> to my home server while there so I didn't end up setting it to record
>> the live stream either.
> 
> Maybe you are interested in my solution which doesn't require to 
> manually restart the recording after the automatic hourly icecast 
> disconnect:
> 
> while true ; do
>     wget http://icecast.ubuntu.com:8000/b3-m3.ogg
>     sleep 1
> done
> 
> You'll of course end up with some files you don't need, but it makes 
> sure you have everything you want - even if a session lasts a bit longer 
> than planned ;-)
> 
> (Disk space is not really an issue - with ~30 MB per hour, you won't 
> fill up your harddisk even if you recode several days without any 
> break.)
> 
heh yeah I should just do something like that

>> The general take away is that we will be continuing on the core
>> improvements that we began back in UDS-Q (6 months ago), and we will
>> begin the work towards sandboxing application on the desktop.
>>
>> In particular, we have plans to continue the work on adding apparmor
>> support to dbus, having a trusted file picker that can be run outside
>> of a sandbox, and a gsettings backend that can be used to mediate
>> access to desktop settings.
> 
> IMHO the filepicker is the most important thing - basically it's the 
> only missing part needed to provide secure and non-annoying[1] profiles 
> for web browsers - and also other desktop applications
> (but maybe I underestimate on how many places dbus is used nowadays...)
> 
yes the picker is really important, especially if sandboxing is to be
transparent to the user.

The importance of dbus depends on the application for some its critical
others its not that important as long as you don't grant the application
access to the dbus.

More information about the AppArmor mailing list