This patchset is to accomplish the code portion of the security-p-app-isolation blueprint. aa-easyprof is a standalone CLI application which can also be imported into developer SDKs. From the man page:
"aa-easyprof provides an easy to use interface for AppArmor policy
generation. aa-easyprof supports the use of templates and policy groups
to quickly profile an application. Please note that while this tool can
help with policy generation, its utility is dependent on the quality of
the templates, policy groups and abstractions used. Also, this tool may
create policy which is less restricted than creating policy by hand or
with aa-genprof and aa-logprof."
In essence, aa-easyprof takes a different view on policy generation and
is useful when you already know how the application should behave and
want to create an initial policy based on this. As such, one can create
a template and any supporting policy groups (policy groups are similar
to abstractions or the old-style program-chunks in that they are simply
groupings of policy rules) then use aa-easyprof to generate a policy.
The CLI tool dumps the resulting policy to stdout and requires no
privileges.
This patchset is broken into 4 parts:
* 0001-aa-easyprof.patch: the application, library, documentation and
installation script
* 0002-aa-easyprof-policy.patch: the initial templates and policy
groups. This will undoubtedly need refinement as we get feedback from
users. Initial policy is based on Ubuntu's Application Review Board
(ARB) requirements[2].
* 0003-aa-easyprof-unittests.patch: tests for the library
* 0004-aa-easyprof-makefile.patch: Makefile integration
Templates are stored in /usr/share/apparmor/easyprof/templates and
policy groups in /usr/share/apparmor/easyprof/policygroups. This can be
adjusted via /etc/apparmor/easyprof.conf.
The aa-easyprof.pod has complete documentation on usage with some
additional information in utils/easyprof/README (mostly duplicated
here).
Example usage to achieve something approaching the ARB requirements[2]
is:
$ aa-easyprof --template=user-application \
--template-var="@{APPNAME}=foo" \
--policy-groups=opt-application,user-application \
/opt/foo/bin/foo
Testing can be performed in a number of ways:
$ cd utils ; make check # runs unit tests and pyflakes
Unit tests manually:
$ ./test/test-aa-easyprof.py
In source manual testing:
$ ./aa-easyprof --templates-dir=./easyprof/templates \
--policy-groups-dir=./easyprof/policygroups \
... \
/opt/foo/bin/foo
Post-install manual testing:
$ make DESTDIR=/tmp/test PERLDIR=/tmp/test/usr/share/perl5/Immunix install
$ cd /tmp/test
$ PYTHONPATH=/tmp/test/usr/local/.../dist-packages ./usr/bin/aa-easyprof \
--templates-dir=/tmp/test/usr/share/apparmor/easyprof/templates \
--policy-groups-dir=/tmp/test/usr/share/apparmor/easyprof/policygroups \
/opt/bin/foo
(you may also adjust /tmp/test/etc/apparmor/easyprof.conf to avoid
specifying --templates-dir and --policy-groups-dir).
[1]https://blueprints.launchpad.net/ubuntu/+spec/security-p-app-isolation
[2]http://developer.ubuntu.com/publish/my-apps-packages/
--
Jamie Strandboge | http://www.canonical.com
signature.asc
Description: This is a digitally signed message part
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
