apparmor profile enhancement packaging

[paul4335]

I saw that @ioerror already created an apparmor profile for subgraphos -- is it possible to include an apparmor profile by default (for debian and ubuntu based distrobutions)? I think it might be a good idea from a "security-by-default" point of view.

[special]

There is a generic apparmor profile in ricochet's contrib/ folder: https://github.com/ricochet-im/ricochet/blob/master/contrib/usr.bin.ricochet-apparmor - but you'd have to install it yourself from the source.

One answer here is that we should have packages for apparmor-enabled systems (like Ubuntu), which include the profile by default.

[special]

@infinity0 what is debian's policy on packaging apparmor policies?

[infinity0]

I've never done it myself, but the tor package has one and more general information is here. I'd imagine that if ricochet's one works with portable mode then it wouldn't be too hard to make it work on Debian. I'll do that work when the next version comes out, or someone else can send me a patch in the meantime.

[pureooze]

This would be useful for openSUSE too, I will ask the apparmor maintainer to check this out and give feedback. From what I can tell it should be pretty simple to get this profile setup for users if its provided in the installation tarball.

[cboltz]

Some quick notes on the profile (I only read it, no testing done):

[change_hat openSUSE AppArmor maintainer]

• /usr/lib/** mr, - openSUSE uses /usr/lib64/ for x86_64, so please change this to /usr/lib{,64}/ or just /usr/lib*/. You could also #include <abstractions/base>, but this drops in some more permissions, so check it before you decide ;-)

[change_hat upstream dev]

• /etc/machine-id r, and /var/lib/dbus/machine-id r,
  • Access to the machine-id indicates DBus usage. The Ubuntu kernel contains a patchset (will get upstreamed) that adds dbus mediation to AppArmor, so you'll probably need to add some dbus rules if you want to have the profile working for Ubuntu.
  • If you are concerned about these, did you try to deny access to the machine-id files and check if something breaks? (I'm not sure how much you'd win by doing this, there are still enough ways to fingerprint a system)
  • If ricochet doesn't use DBus itsself, you could put the program that does the DBus stuff in a child profile instead of inheriting it

(mail copy to my @ccboltz archive)

[pureooze]

I have added the apparmor profile to the package in my development repo. We are waiting on some apparmor macros to get accepted for OBS at which point I will push it into the server:messages and eventually distro repo. Seems to be working so far but if others would test it out that would be appreciated.