Open paul4335 opened 8 years ago
There is a generic apparmor profile in ricochet's contrib/
folder: https://github.com/ricochet-im/ricochet/blob/master/contrib/usr.bin.ricochet-apparmor - but you'd have to install it yourself from the source.
One answer here is that we should have packages for apparmor-enabled systems (like Ubuntu), which include the profile by default.
@infinity0 what is debian's policy on packaging apparmor policies?
I've never done it myself, but the tor package has one and more general information is here. I'd imagine that if ricochet's one works with portable mode then it wouldn't be too hard to make it work on Debian. I'll do that work when the next version comes out, or someone else can send me a patch in the meantime.
This would be useful for openSUSE too, I will ask the apparmor maintainer to check this out and give feedback. From what I can tell it should be pretty simple to get this profile setup for users if its provided in the installation tarball.
Some quick notes on the profile (I only read it, no testing done):
[change_hat openSUSE AppArmor maintainer]
/usr/lib/** mr,
- openSUSE uses /usr/lib64/ for x86_64, so please change this to /usr/lib{,64}/
or just /usr/lib*/
. You could also #include <abstractions/base>
, but this drops in some more permissions, so check it before you decide ;-)[change_hat upstream dev]
/etc/machine-id r,
and /var/lib/dbus/machine-id r,
dbus
rules if you want to have the profile working for Ubuntu.(mail copy to my @ccboltz archive)
I have added the apparmor profile to the package in my development repo. We are waiting on some apparmor macros to get accepted for OBS at which point I will push it into the server:messages and eventually distro repo. Seems to be working so far but if others would test it out that would be appreciated.
I saw that @ioerror already created an apparmor profile for subgraphos -- is it possible to include an apparmor profile by default (for debian and ubuntu based distrobutions)? I think it might be a good idea from a "security-by-default" point of view.