boring-cyborg[bot]
commented
4 years ago Thanks for opening your first issue here!
Be sure to follow the issue template. Your issue will be reviewed by a maintainer and labeled for further action.
Open komachi opened 4 years ago
boring-cyborg[bot]
commented
4 years ago Thanks for opening your first issue here!
Be sure to follow the issue template. Your issue will be reviewed by a maintainer and labeled for further action.
Talkless
commented
4 years ago Hi @komachi , I too use my own Bisq profile on Debian Sid: https://gist.github.com/Talkless/261218250f45f125f8ac541e714ffcce
Not sure though where should it be versioned. I've got qTox [0] profile incorporated into project itself, but it's rather hard to get reviews, as there's not much who knows AppArmor apparently.
Alternative is apparmor-profiles [1] repository, where we could get AppArmor developers into reviews, but that repository versions profiles based on Ubuntu (like 19.10, 20.04) versions... There's some refactoring is planned for that repo but not sure when it will be done. Also, storing profile separately from Bisq sources could make packaging more complicated..? Though Thunderbird Debian package just regularly fetch AppArmor profile from apparmor-profiles and ship in Debian [2].
[0] https://github.com/qTox/qTox/tree/master/security/apparmor [1] https://gitlab.com/apparmor/apparmor-profiles [2] https://salsa.debian.org/mozilla-team/thunderbird/-/tree/debian/sid/debian/apparmor
komachi
commented
4 years ago AppArmor profiles better to be provided by upstream.
apparmor-profiles meant to fill the gap until every package get upsteam profile/until profile is mature enough to be included at least in distribution package. Also Bisq is not packaged by Ubuntu nor by Debian, so it would be strange to maintain profile in apparmor-profiles.
Talkless
commented
4 years ago @komachi Not all profiles in apparmor-profiles repository goes into apparmor-profiles package for (in Debian). As I gave example, Thunderbird maintainer ships profile from apparmor-profiles upstream repository inside thunderbird package. He syncs file time to time into debian dir before releasing new Thunderbird package.
Though I agree that it's kinda inconvenient that Bisq developers would have to fetch profile from other repo, though relying on Bisq developers/contributors on reviewing AppArmor profiles might be naive/optimistic too... Though we can try of course.
stale[bot]
commented
3 years ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Talkless
commented
3 years ago Ping. Still relevant, just need to find time to actually introduce AppArmor profile.
I drafted an AppArmor profile for Bisq https://github.com/komachi/apparmor-even-more-profiles/blob/master/profiles/opt.Bisq.Bisq
It works for me on debian stable. I propose shipping an AppArmor profile (you can take mine) as part of deb and rpm packages. This is greatly reduce effect of possible vulnerabilities at nearly no cost other than maintaining this profile. Only users with AppArmor enabled will benefit from this, but that's a lot, given that Ubuntu, Debian and others has it enabled by default.