Apparmor Profiles

[jlambrecht]

I'm currently having a more and more in-depth look at AppArmor Profiles in Debian. It's something but certainly there's room for improvement. Anyone who has also written custom profiles and is willing to start work on an improved or new set of profiles ?

[Gyokuro]

I'm interest in and I think that profiles should be improved as some profiles are really relaxed but my biggest problem is that most profiles should be overworked upstream and all Ubuntu references should be replaced with distribution agnostic names (abstractions/ubuntu-browsers-d/chromium-browser> => abstractions/distribution-browsers-d/chromium-browsers).

[jlambrecht]

Thanks, we understand each other.

I'm currently tinkering but not yet studying on how to modularize this in a sane way. My aim is also to really protect the entire system, at least as far as AppArmor permits. After all it is said to be quite imperfect ( one ref of many = http://www.rsbac.org/pipermail/rsbac/20 ... 02186.html ) Implementing RSBAC seems a bit over my head for now

Currently i'm limiting my scope of thought to a rather generic split of "Internet Connecting Applications" and "Internet Visible Services" This kind of leaves open the use of attached or inserted media, shell access exploitation and many others. I'm also considering some form of automated profiling of packages being installed but this seems a dead end, for now.