-
Notifications
You must be signed in to change notification settings - Fork 45
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security Profile Library for AppArmor #105
Comments
That's great!
That would be good. The only thing to be aware of is that will be a Linux only package in this repo. We'd need to make sure the CMake code checks the platform and skips the package / prints a message if not Linux and that the doc reflects it. We can also host it in a different repo if we don't want to mix platform agnostic vs platform specific packages.
👍 that auditing will be valuable before recommending it to users I'll comment directly on ros-infrastructure/apparmor_profiles#6 for the details |
Are there any other packages that exemplify switching install behaviors based upon host OS craitera? Or how about installing/removing files outside
I have no strong feelings on where such a package is hosted, just that's easily available so that it may be a readable dependency. The idea being that downstream ros2 packages such as rviz, rqt, movit2, etc, could ship AppArmor profiles of their own for end users to start with.
I'd like to find some folks from the AppArmor team or Ubuntu who may be more up-to-date on that project, as Its been a while since I've read there docs and wiki (a lot has change and moved around since then). |
An example of package doing this is rttest
In general low level dependencies are in somehow standalone repos to allow downstream repositories to be released early (as bloom acts on a per repo basis). In this case I expect |
Many software projects releasing for Linux ship with included AppArmor profiles to secure their applications at runtime. To enable ROS package developers to succinctly write and maintain similar app policies, I previously wrote an AppArmor library to pre-configure default tuneables and incluable permission abstractions to simplify authored profiles.
I’d like to suggest we package this AppArmor library for release in SROS2; perhaps calling
sros_apparmor
? This package would mainly serve as a delivery mechanism to install the necessaryinclude
files in/etc/apparmor.d/
. Downstream ROS2 package developers could citesros_apparmor
as a runtime dependency so that the customer profiles they install to/etc/apparmor.d/
could include the required permission abstractions.Background
I initially started a profile library appstration for AppArmor back with SROS1. However, given the library had to be manually installed, adoption in ROS1 was rather limited:
https://github.com/ros-infrastructure/apparmor_profiles
http://wiki.ros.org/SROS/Tutorials/AppArmorAndROS
Progress
I’ve recently been updating the library for ROS2, and have cpp and python nodes working while under enforced profiles, such as this for the demo node examples shown here:
ros-infrastructure/apparmor_profiles#6
Next steps
Going forward, I’d like to add more permission abstractions for other ROS2 primitives events, like process signal handling between launch tools or allowing shared memory access between nodes, while at the same time auditing the existing policy footprint: to verify which rulesets are truly necessary and where we may want to relax restrictions to generalize for common use case patterns. Iterating further by writing more example profiles for the rest of the ROS2 demos might useful for unearthing any remaining conor cases. I’d apprchate help from folks who may also be familiar either AppArmor debuging or testing advanced ROS2 features.
While rewriting the library, it may also be a good opportunity to re-license the tunables and abstraction files to coincide with the rest of ROS2’s development.
I’d like to eventually host this AppArmor library here with the rest of the sros2 packages, so that downstream users can redaly install it and build on top of it. Perhaps packaging the installer (mostly copying files to
/etc/apparmor.d/
) using CMake would be enough of a start?The text was updated successfully, but these errors were encountered: