[Apparmor-dev] Re: AppArmor 2.1 Feature Overview

Dominic Reynolds dreynolds at suse.de
Tue Aug 14 09:17:47 MDT 2007 

Hi,

+++ S.Çağlar Onur [14/08/07 14:35 +0300]:
> Hi All;
> 
> 13 Ağu 2007 Pts tarihinde, Dominic Reynolds şunları yazmıştı: 
> > ....repost - incorporating feedback.
> > 
> > -----------------
> > 
> > Per the irc discussion on #apparmor I wanted post for review the planned changes
> > around the 2.1 release for AppArmor. This release will ship as part of
> > openSUSE 10.3 and Ubuntu "gutsy". Feedback/corrections welcome :)
> 
> As you may already know Pardus 2007 already ships appArmor on its default installation from December 2006 :)
> And we are closely watching current development and we will also planning ship new appArmor with our new 
> releases. 
> 
> > This version will be also released as tarballs and maintained in a branch on
> > forge svn.
> 
> +1
> 
> > o Support for Network Repository for profile storage
> > 
> >   The AppArmor profile tools now interact with local and remote repositories of
> >   profiles to supply the user with profiles when profiles are needed for
> >   applications and to allow central storage of AppArmor profiles accross
> >   multiple machines.
> > 
> >   * Selecting profiles from a repository:
> >     The user is prompted to select a profile from one or more users in the
> >     network repository or from the local inactive profile repository
> >     (/etc/apparmor/profiles/extras). 
> > 
> >   * Storing profiles in a repository
> >     The user has the option of storing profiles in a remote repository. The user
> >     is reqiured to supply a username, password, and email address to
> >     create/access an account on the repository server and then the
> >     new/changed profiles can be stored on the remote server.
> 
> Wonderfull news :)
> 
> But it triggered another question in my mind, what about default profiles shipped with appArmor. 
> Currently we are using some sed/awk magic to convert openSuse based profiles to Pardus specific ones 
> and i think currently this is also what mandriva and ubuntu does. 
> 
> I'm sure this community based approach will solve lots of problems but i want to know what other distros 
> (suse, ubuntu, mandriva) planning? Will you provide appArmor as just a abstraction and encourage your users to 
> create their own profiles or will you provide feature-complete profile sets for your distros default installation?

One thing to note - the repository can support multiple distributions (so
pardus, ubuntu can have a preferred_user that contains your distros profiles)
. We have are currently planning on a tag per release - so profiles would be
  for openSUSE-10.3 openSUSE-11.0 etc.  I just need from the distributions a
tag (name-version) that they would like to see in the repository and then the
distributor would just need to modify their /etc/apparmor/logprof.conf to set
a distribution and preferred_user (for the next openSUSE release we will use
distribution=openSUSE10.3 preferred_user=novell).

The intent is to ship apparmor with a minimal profile set (maybe just
abstractions) and to have the packages themselves contain the application
profiles.


>  
> > o AppArmor Desktop Applet for Gnome
> > 
> >     A desktop applet for gnome that AppArmor events via dbus.
> 
> Any plan for KDE specific one or make this applet interactive instead of just giving information about events?
We would like to see both things happen:

 - the applet integrates with other tools to address the event (fix the
   profile if needed)
 - the applet is ported to kde

We don't have anyone working on these in the near term. I think the applet
could be updated to call yast - but thats quit suse
specific.

One of our developers mentioned the possibility that the applet could be
converted to a systray applet that works on both desktops (but again we don't
have resources to tackle this at the moment).

For either of these we would welcome any contributions or feedback about
them.



 
> 
> Cheers
> -- 
> S.Çağlar Onur <caglar at pardus.org.tr>
> http://cekirdek.pardus.org.tr/~caglar/
> 
> Linux is like living in a teepee. No Windows, no Gates and an Apache in house!


Thanks for the feedback.

-dom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
Url : http://forge.novell.com/pipermail/apparmor-dev/attachments/20070814/68ea59ce/attachment.pgp

More information about the Apparmor-dev mailing list