[apparmor] [report] AppArmor BoF and discussions at DebConf14

intrigeri intrigeri at debian.org
Tue Sep 23 04:51:28 UTC 2014 

Hi,

better late than never, here's a report from what happened about
AppArmor at DebConf14 a few weeks ago. A few of us (Kees, Steve, Seth,
Holger and I -- John was excused, but I got to see him a bit latter)
met and had a formal BoF, that was video'ed, although the recording is
not online yet [1]. The full minutes for this session can be found by
connecting to gobby.debian.org with Gobby, in the
debconf14/bof/AppArmor document.

A dozen other people or so attended, which I see as a success,
considering it was the first time (I think) that anything about
AppArmor happened at a Debian event, and we still haven't announced
our team to our peer Debian contributors yet.

This session was at least as much about making sure we all (including
attendees that were not sitting in circle) had the relevant info, as
it was about actually making progress and decisions.

The biggest, although less visible, outcome of DebConf14 may very well
be that we now have a unified AppArmor team (Cc'd) in Debian, that
takes care both of the userspace and the policy. I bet this will help
coordinating all the work in this area... and will allow us to offload
Kees from some grunt work, and let him instead focus on areas where
his expertise is needed. I encourage anyone interested to subscribe to
this team's mailing list, in particular Ubuntu/Canonical people
willing to improve collaboration between our projects :)

Action items and decisions from the BoF:

   * About the "network rules not enforced" warning, on the short
     term, we won't hide it, but instead improve it to point to
     documentation:
       - write doc [intrigeri]
       - patch the userspace tools [kees]
     => this has to happen in time for the Jessie freeze.
  
  * We can try to convince Canonical's management to prioritize
    upstreaming AppArmor kernel patches higher. We didn't really come
    up with a clear decision or way to go about it, but it would be
    good to see this happen somehow.

  * We won't insist to have more out-of-tree kernel patches in the
    Jessie kernel. However, I'm told that if the network mediation
    patch was resubmitted upstream early enough before the Jessie
    freeze, then it could possibly be applied to the Jessie kernel.
    Hint, hint :)  John is aware of this, but his plate his quite full
    currently. We'll see.

  * Regarding the version of the userspace to be shipped in Jessie:
    we're waiting for 2.8.4 to be released, which would already be
    better than the 2.8.0 + tons of patches we currently ship, but
    ideally we would like to ship 2.9 if it's out in time for
    the freeze.

  * Regarding the policy: we agreed that on the long run, policies
    should be shipped in the individual packages. We'll create a set
    of usertags to track AppArmor -related bugs, and we'll inform
    maintainers that we're happy to help them fix it. This is part of
    an OPW project that was just submitted, by the way:
    https://wiki.debian.org/OutreachProgramForWomen#AppArmor_profiles_for_widely_used_applications

[1] http://meetings-archive.debian.net/pub/debian-meetings/2014/debconf14/webm/

Cheers,
-- 
intrigeri

More information about the AppArmor mailing list