Provide AppArmor profile

[komachi]

I drafted an AppArmor profile for Bisq https://github.com/komachi/apparmor-even-more-profiles/blob/master/profiles/opt.Bisq.Bisq

It works for me on debian stable. I propose shipping an AppArmor profile (you can take mine) as part of deb and rpm packages. This is greatly reduce effect of possible vulnerabilities at nearly no cost other than maintaining this profile. Only users with AppArmor enabled will benefit from this, but that's a lot, given that Ubuntu, Debian and others has it enabled by default.

[boring-cyborg[bot]]

Thanks for opening your first issue here!

Be sure to follow the issue template. Your issue will be reviewed by a maintainer and labeled for further action.

[Talkless]

Hi @komachi , I too use my own Bisq profile on Debian Sid: https://gist.github.com/Talkless/261218250f45f125f8ac541e714ffcce

Not sure though where should it be versioned. I've got qTox [0] profile incorporated into project itself, but it's rather hard to get reviews, as there's not much who knows AppArmor apparently.

Alternative is apparmor-profiles [1] repository, where we could get AppArmor developers into reviews, but that repository versions profiles based on Ubuntu (like 19.10, 20.04) versions... There's some refactoring is planned for that repo but not sure when it will be done. Also, storing profile separately from Bisq sources could make packaging more complicated..? Though Thunderbird Debian package just regularly fetch AppArmor profile from apparmor-profiles and ship in Debian [2].

[0] https://github.com/qTox/qTox/tree/master/security/apparmor [1] https://gitlab.com/apparmor/apparmor-profiles [2] https://salsa.debian.org/mozilla-team/thunderbird/-/tree/debian/sid/debian/apparmor

[komachi]

AppArmor profiles better to be provided by upstream.

apparmor-profiles meant to fill the gap until every package get upsteam profile/until profile is mature enough to be included at least in distribution package. Also Bisq is not packaged by Ubuntu nor by Debian, so it would be strange to maintain profile in apparmor-profiles.

[Talkless]

@komachi Not all profiles in apparmor-profiles repository goes into apparmor-profiles package for (in Debian). As I gave example, Thunderbird maintainer ships profile from apparmor-profiles upstream repository inside thunderbird package. He syncs file time to time into debian dir before releasing new Thunderbird package.

Though I agree that it's kinda inconvenient that Bisq developers would have to fetch profile from other repo, though relying on Bisq developers/contributors on reviewing AppArmor profiles might be naive/optimistic too... Though we can try of course.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[Talkless]

Ping. Still relevant, just need to find time to actually introduce AppArmor profile.

[drzraf]

How many would run a 300+ MB binary not providing an Apparmor. It should be part of the .deb, it's as simple as that.