[ubuntu-hardened] Who makes Policy for Ubuntu apparmor?

Jamie Strandboge jamie at canonical.com
Fri Jul 27 16:36:03 UTC 2012

On Tue, 2012-07-24 at 09:00 -0700, Michael J Daniel wrote:
> HI!
> Who makes policy for Ubuntu apparmor?
> (I just had this idea, though I doubt I'm the first.)

Shipped policy is reviewed by the Ubuntu Security team and as
appropriate, AppArmor upstream.

> It would be great if the user and system administrator has the following 
> interaction with apparmor.
> While browsing Ubuntu Software Center, they can see which packages
> are certified protected by apparmor.
> When they install the package and run the software, they know its 
> execution is protected by apparmor.

This is an interesting idea, but not many Software Center facing
applications are confined yet.[1]

> It would be great if the package developer has the following interaction
> with apparmor.
> Part of the development process for their program is to create an 
> apparmor policy, pretest it for apparmor certification and include it in 
> their package.

This is actually something that is already starting to happen. There has
been a slow start, but the ARB (Application Review Board) and
developer.ubuntu.com sites should have more tie-ins with AppArmor and
other types of application confinement in the next couple of Ubuntu

> It would be great if the independent apparmor certification team has the 
> following interaction with apparmor.
> Part of making a package is available for installation from the Ubuntu 
> Software Center is to check it for an apparmor profile, test the 
> profile, and designate it a apparmor certified.
> It would be great if the Ubuntu Security Team has the following 
> interaction with apparmor.
> Create and maintain the processes and tools to make the above user, 
> administrator, and developer interactions happen.

Tools are available already for this, namely apparmor-utils. aa-genprof
and aa-logprof are CLI applications that an administrator can use[2][3]
to confine an application to observed and configured behavior. There is
also a new tool called aa-easyprof that is template based. This is
intended to be used by the developer that knows how the application
should behave in the first place, and it will be a part of the
aforementioned development process.


Jamie Strandboge             | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20120727/1a26577c/attachment.pgp>

More information about the ubuntu-hardened mailing list