[apparmor] Portable profiles

Tue Jul 28 00:13:01 UTC 2020

On 7/27/20 2:22 PM, Amitav Mohanty wrote:
> Hi
> 
> I am reading up on Apparmor recently. I see that Ubuntu and openSUSE have packaged profiles in their repositories. However, other distributions are just asking people to create the profiles using tools or manually or modify profiles from the above distributions. I think that sort of hinders the adoption of Apparmor. I would love to hear your thoughts on this.
> 

It certainly does some. Profiles unfortunately have to be somewhat tailored to a machine/distro. There are several things however that can be done to make profiles more portable, and as an upstream we have been pushing for profiles to use as many as possible.

eg.
Deprecation of path base profile names
https://gitlab.com/apparmor/apparmor/-/wikis/DeprecateProfilePathName

and the use of variables for the base of rules, which allows a distro to just modify the variable define.

eg.
@{proc}/self/attr/current rw,
@{lib}/** mr,
owner @{HOME}/** r,

As an upstream we have added several new base variables and updated reference policy to use them. It will of course take time to get out of tree policy migrated over.

> Also, I was thinking of having some tool as the following:
> 
> have a base profile template for an application
>     |
>     |
>    \ /
> have a generator tool         <-- a distro-specific list of locations (libraries included)
>     |
>     |
>    \ /
> create a profile usable in the distro directly from the profile template maintained in the common repo
> 
> Let me know what you think.
> 

Ideally we could do this with all with variables, but the reality is that we probably won't ever get all profiles to use variables and tooling to rewrite profiles is always nice to have. Ideally existing tooling genprof/logprof/mergeprof would be able to identify profile locations and map them to variables or new locations and rewrite them. With that said I am not opposed to having a dedicated tool to do this either.

Another thing I would like is for upstream apparmor to collect the set of defines for each distro, and make it we can switch the variable defines by either checking what distro apparmor is running on (dynamic) or by defining a distro variable to force a given set.