On 2017-12-10 11:39, Philipp Huebner wrote:
Since Debian has ongoing experiment to have AppArmor enabled by default in
Buster, I believe
it would be usefull to have AppArmor profile made good enought to be enabled by
default for
this internet-facing daemon too. Maybe this suggestion could make this possible?
I like your proposal as long as it doesn't add too much delay when
changes are necessary.
This is understandable concern. But as far as it goes, Thunderbird profile
maintenance goes quite
well in my opinion.
For example, bug #883561 [0] was reported at 2017-12-05, pull request proposed
by me and merged
upstream [1] on 2017-12-07 (that's two days).
The fact that our AppArmor maintainer also has upstream merge rights is a big
help :-) .
The current "ejabberd" profile in apparmor-profiles is completely
useless and I have basically rewritten the current "ejabberdctl" profile
from scratch.
Yeah that old one is useless.
Though I would like to propose improvements for current profile too, because it
seems that erlang
executable can run `su` too (because inherited execution `ix`), same as a
wrapper script.
I believe only wrapper script should actually invoke `su`, am I right? It would
be nice to deny
running setuid applications if possible.
Also, I am guessing that this rule would need extra file/unix rules too, to
access
`/var/run/.psql.5432` unix domain socket to connect to PostgreSQL for example.
I could test all
networking and other features in Ubuntu VM, as all these AppArmor features are
being upstreamed, and
so coming into Debian too.
You're welcome to replace the one in apparmor-profiles with mine
and make things happen the way you described them.
OK I'll start by proposing same profile as-is, and start working on
improvements after that point.
I'll create bugs against `ejaberd` with upstream tag and forwards, to keep the
track.
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=883561
[1]
https://gitlab.com/apparmor/apparmor-profiles/commit/dac904a3bc34125a40856973c1faef32b351a798
