** Description changed: ## FFE ## This is a Feature Freeze Exception request for questing for the apparmor package and for a new source package called apparmor.d: I'd like to add a new source package called apparmor.d which contains over 1500 profiles from the upstream project apparmor.d [1] These profiles will be added in "complain" mode, which means that for a given action, if the profile rules do not grant permission the action will be allowed, but the violation will be logged with a tag of the access being ALLOWED. This is done because we want to test these profiles and enable others to test and add new rules to eventually improve the profiles. By adding these profiles in a new package which is not installed by default, regular users will not be affected. But users that would like to test and contribute to the profiles can install it. We want to add these profiles, even in complain mode, as a new package (and not part of the apparmor package) because labeling certain binaries could cause issues with existing policy, specially those that use "peer". Additionally, the large amount of profiles do take a while to compile by the parser in the first boot. After that, a cached version of the profiles can be loaded directly into the kernel by the parser which takes considerably less time. Note again that apparmor.d will not be installed by default, so this will only affect users that choose to install it. The benefits of this change is the ability to increase the amount of testing for these profiles, which will then enable us to eventually ship them in enforce mode. More profiles means more confined applications, which could lead to higher security. This is the first step towards that. This FFE also includes the apparmor package because we want to change the suggestion from the apparmor-profiles-extra package, which is no longer maintained and will be deprecated in the future, to the new apparmor.d. This is the PPA containing a built version of apparmor and apparmor.d: https://launchpad.net/~georgiag/+archive/ubuntu/apparmor.dinapparmor4/ These are the installation logs: - georgia@sec2-questing-amd64:~$ sudo apt install apparmor.d --allow-unauthenticated - #TODO + georgia@sec2-questing-amd64:~$ sudo apt install apparmor.d + [sudo: authenticate] Password: + The following packages were automatically installed and are no longer required: + apg linux-headers-6.15.0-3 + cpp-14 linux-headers-6.15.0-3-generic + cpp-14-x86-64-linux-gnu linux-modules-6.15.0-3-generic + gcc-14-base linux-tools-6.15.0-3 + libclang1-19 linux-tools-6.15.0-3-generic + libglu1-mesa x11-apps + libllvm19 x11-session-utils + libopengl0 xbitmaps + libsframe1 xinit + libxcb-damage0 xorg + libxkbcommon-x11-0 + Use 'sudo apt autoremove' to remove them. + + Installing: + apparmor.d + + Summary: + Upgrading: 0, Installing: 1, Removing: 0, Not Upgrading: 80 + Download size: 264 kB + Space needed: 3,660 kB / 6,525 MB available + + Get:1 https://ppa.launchpadcontent.net/georgiag/apparmor.dinapparmor4/ubuntu questing/main amd64 apparmor.d amd64 0.015-1ubuntu1 [264 kB] + Fetched 264 kB in 3s (87.5 kB/s) + Selecting previously unselected package apparmor.d. + (Reading database ... 240730 files and directories currently installed.) + Preparing to unpack .../apparmor.d_0.015-1ubuntu1_amd64.deb ... + Unpacking apparmor.d (0.015-1ubuntu1) ... + Setting up apparmor.d (0.015-1ubuntu1) ... + georgia@sec2-questing-amd64:~$ systemctl status apparmor - #TODO + \u25cf apparmor.service - Load AppArmor profiles + Loaded: loaded (/usr/lib/systemd/system/apparmor.service; enabled; preset: enabled) + Active: active (exited) since Fri 2025-08-29 11:09:28 -03; 10min ago + Invocation: ad13f50c63404cdfba6de8ab6fdf0069 + Docs: man:apparmor(7) + https://gitlab.com/apparmor/apparmor/wikis/home/ + Process: 9373 ExecReload=/lib/apparmor/apparmor.systemd reload (code=exited, status=0/SUCCESS) + Main PID: 525 (code=exited, status=0/SUCCESS) + Mem peak: 202.3M (swap: 292K) + CPU: 5min 2.609s + + Aug 29 11:17:39 sec2-questing-amd64 apparmor.systemd[10859]: Skipping profile in /etc/apparmor.d/d> + Aug 29 11:17:44 sec2-questing-amd64 apparmor.systemd[10887]: Skipping profile in /etc/apparmor.d/d> + Aug 29 11:17:47 sec2-questing-amd64 apparmor.systemd[10932]: Skipping profile in /etc/apparmor.d/d> + Aug 29 11:17:50 sec2-questing-amd64 apparmor.systemd[10996]: Warning: found usr.sbin.sssd in /etc/> + Aug 29 11:17:50 sec2-questing-amd64 apparmor.systemd[10996]: Warning from /etc/apparmor.d (/etc/ap> + Aug 29 11:17:54 sec2-questing-amd64 apparmor.systemd[11015]: Skipping profile in /etc/apparmor.d/d> + Aug 29 11:17:59 sec2-questing-amd64 apparmor.systemd[11042]: Skipping profile in /etc/apparmor.d/d> + Aug 29 11:17:59 sec2-questing-amd64 apparmor.systemd[11043]: Skipping profile in /etc/apparmor.d/d> + Aug 29 11:18:00 sec2-questing-amd64 apparmor.systemd[11051]: Skipping profile in /etc/apparmor.d/d> + Aug 29 11:18:09 sec2-questing-amd64 systemd[1]: Reloaded apparmor.service - Load AppArmor profiles. + georgia@sec2-questing-amd64:~$ For testing, I ran the QA Regression Tests [2]: Steps: $ git clone https://git.launchpad.net/qa-regression-testing $ ./scripts/make-test-tarball ./scripts/test-apparmor.py Copying: test-apparmor.py Copying: testlib.py Copying: install-packages Copying: packages-helper Copying: apparmor/ Test files: /tmp/qrt-test-apparmor.tar.gz To run, first install the apparmor.d package introduced in this FFE, then copy the tarball somewhere, then do: $ tar -zxf qrt-test-apparmor.tar.gz $ cd ./qrt-test-apparmor $ sudo ./install-packages test-apparmor.py $ ./test-apparmor.py -v This script runs various tests against the installed apparmor package The result was: #TODO - [1] https://github.com/roddhjav/apparmor.d [2] https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2121409 Title: [FFE] add a new apparmor.d package containing several apparmor profiles To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2121409/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
