From AppArmor
Jump to: navigation, search
(12:01:29 PM) jjohansen: cboltz, sbeattie, sarnold, jdstrand, mdeslaur: if your interested its time for the monthly apparmor meeting
(12:01:39 PM) mdeslaur: hi jjohansen!
(12:01:49 PM) jdstrand: hi :)
(12:02:20 PM) terryh [] entered the room.
(12:02:21 PM) ***sbeattie o/
(12:03:16 PM) jjohansen: Well I guess that will have to do, lets get started
(12:03:20 PM) ***cboltz hides
(12:03:29 PM) jjohansen: cboltz: good idea :)
(12:03:57 PM) jjohansen: I guess first up is dealing with the 3.0 release
(12:04:02 PM) sarnold: o/
(12:04:43 PM) jjohansen: its running behind schedule (big surprise), and I propose we postpone its release
(12:05:16 PM) jjohansen: I'd rather do a good release with the base target features than trickle out just a few things
(12:06:06 PM) jjohansen: what I was thinking was setting a new target date for the beta to say the start of June or so
(12:06:10 PM) jdstrand: that seems to make sense
(12:06:55 PM) jjohansen: that gives us about 3 months more dev and polish time and we can then look at rolling a release at some point in the summer
(12:07:06 PM) jjohansen: cboltz: what is suse schedule looking like
(12:07:18 PM) sbeattie: jjohansen: would you want to do an alpha release before the beta?
(12:07:25 PM) cboltz: 12.3 will be released in two weeks
(12:07:34 PM) cboltz: and 13.1 will be in +8 months
(12:07:47 PM) jjohansen: sbeattie: yes, I'd like to roll several alphas before the beta
(12:08:04 PM) jjohansen: cboltz: so a release in 5-6 months would work out well for you then :)
(12:08:20 PM) cboltz: assuming we don't postpone again, it should work ;-)
(12:08:45 PM) sbeattie: jjohansen: okay, I wasn't sure given the previous alphas being skipped.
(12:08:54 PM) jjohansen: cboltz: well we are getting there
(12:09:08 PM) sbeattie: (but on the whole, I am okay with this plan)
(12:09:25 PM) jjohansen: sbeattie: well I kind of did a half assed alpha1 kernel, which was really on the 2.8 userspace
(12:09:35 PM) jjohansen: but never really announced it as such
(12:10:11 PM) jjohansen: sbeattie: I do really want to get an alpha out but I'd like to have certain things working well enough
(12:10:23 PM) jjohansen: we are close on the labeling/stacking and dbus
(12:10:39 PM) jjohansen: the env filtering is further out
(12:10:51 PM) cboltz: BTW and OT: I'm also making good progress with PostfixAdmin 3.0. We'll see who wins the "release 3.0" race ;-)
(12:10:59 PM) jjohansen: oh I guess we have the new fs interface which seems to be solid
(12:11:43 PM) jjohansen: cboltz: heh well I wouldn't be surprised if apparmor lost :)
(12:12:22 PM) cboltz: are you always that pessimistic? ;-)
(12:12:45 PM) jjohansen: so alpha wise my goal is to roll an actual alpha in a week or two, it won't be next week as I want to coordinate with tyhicks and get the new query interface in
(12:13:44 PM) jjohansen: cboltz: who me, I am very optimistic, I believe we will eventually have a 3.0 release ;-)
(12:14:20 PM) cboltz: ;-)
(12:15:54 PM) jjohansen: so I haven't heard any complaints with the plan, so I will record it as doing monthlyish alphas and a beta target for early june
(12:16:05 PM) jjohansen: Moving on to 2.8.2
(12:16:30 PM) jjohansen: sbeattie: you had some things you thought should probably go in?
(12:17:22 PM) jjohansen: Basically with 3.0 being delayed I think we need to make sure we roll all the fixes we can into 2.8
(12:17:34 PM) sarnold: would the new libaudit link -> cap_audit_write needed in PAM be worth adding to 2.8.2?
(12:18:04 PM) sbeattie: Oh, yes, some of the configury stuff around python3 is broken in 2.8, and needs a couple of cherrypicked patches.
(12:18:09 PM) jjohansen: sarnold: yes I think so, though I am surprised suse hasn't seen it already
(12:18:43 PM) sbeattie: sarnold: where I ran into it was in mostly custom emitted profiles in the ubuntu tests of the pam_apparmor stack.
(12:18:56 PM) jjohansen: also I am open to 2.8.2 picking up a few little tweaks/improvements to the build etc above strictly just bug fixes
(12:19:15 PM) jjohansen: ah right
(12:19:30 PM) sbeattie: jjohansen: do you have any particular improvements in mind?
(12:19:33 PM) sarnold: sbeattie: ohh
(12:19:33 PM) jjohansen: still I would expect if someone tried pam_apparmor on suse they would hit it
(12:20:24 PM) jjohansen: sbeattie: not at the moment, but there was discussion of cleaning up the rpm infrastructure a bit, and tweaks to the make system etc last time
(12:20:33 PM) cboltz: jjohansen: pam_apparmor is one of the things I don't use myself
(12:20:40 PM) cboltz: what exactly is broken with it?
(12:20:55 PM) jjohansen: we would have to evaluate case by case but I am open to a few tweaks like that going in
(12:21:21 PM) jjohansen: cboltz: its a pam module that can be used to put users/applications into apparmor profiles
(12:21:36 PM) cboltz: I know what it is/does ;-)
(12:22:10 PM) jjohansen: ah right, the issue is there are new rejects etc if you have auditd enabled
(12:22:16 PM) sbeattie: cboltz: nothing is broken with it; the discussion was prompted by ubuntu finally getting libaudit in main and enabled at build time for a bunch of things, which broke some tests of the pam_apparmor stack, because adding libaudit caused audit events to be written from userspace, requiring capability audit_write where it hadn't been needed before.
(12:22:33 PM) jjohansen: so Ubuntu has been using it with syslog, but hit errors with the inclusion of auditd
(12:22:46 PM) jdstrand: jjohansen: just with auditd enabled? it doesn't required a newer pam or something?
(12:23:04 PM) ***jdstrand uses pam-apparmor, but hasn't seen it on 12.04
(12:23:34 PM) sbeattie: no, it's not bound to auditd; it's the build-time enabling of the libaudit configure option.
(12:24:16 PM) jjohansen: sbeattie: well its both, as it won't use auditd if it isn't present
(12:24:49 PM) sbeattie: jjohansen: pam will still try generate the userspace audit events even if auditd is not running.
(12:25:14 PM) jdstrand: ok, that was more in line with what I was thinking
(12:26:37 PM) sbeattie: anyway, it's a bit of a diversion. At best, there might be improvements in an abstraction or two that could be made related to it.
(12:27:13 PM) jjohansen: yeah, but that is something that could definitely got into 2.8.2 as if you hit it you would call it a bug
(12:27:45 PM) jjohansen: Anyway I don't think 2.8.2 is a rush but I was thinking maybe we could get it out next month
(12:28:30 PM) jjohansen: If you see anything thats a bug, or think it would be appropriate with 3.0 still being a ways out please nominate it
(12:28:47 PM) sbeattie: Agree on 2.8.2
(12:29:19 PM) jjohansen: so we can move on
(12:29:25 PM) sbeattie: I'm happy to be the sucker^W^W^W handle that release, if you want.
(12:29:59 PM) jjohansen: sbeattie: thanks
(12:30:50 PM) jjohansen: cboltz: we have a packaging item around rpm on the agenda. Did you want to talk to that
(12:31:02 PM) cboltz: yes
(12:31:13 PM) cboltz: it's just an idea and I'd like to hear feedback
(12:31:23 PM) jjohansen: okay, go
(12:31:24 PM) cboltz: the (possible) problem is basically:
(12:31:35 PM) cboltz: a package contains an apparmor profile
(12:31:41 PM) cboltz: what should it have in its requirements?
(12:32:02 PM) cboltz: if it requires apparmor-profiles, people might complain because they want to run ping unprotected ;-)
(12:32:20 PM) cboltz: and if it does not require it, the abstractions are missing and the profile fails to load
(12:32:32 PM) cboltz: that's why I was thinking about splitting the package into
(12:32:35 PM) cboltz: a) profiles
(12:32:49 PM) cboltz: b) everything else (directory structure, abstractions, tunables etc.)
(12:33:02 PM) cboltz: what's your opinion about this?
(12:33:35 PM) mdeslaur: that's basically what we do on ubuntu
(12:34:31 PM) jjohansen: cboltz: it makes a lot of sense and I really don't know why the abstractions aren't split off from the rest of the profiles
(12:34:56 PM) jjohansen: my guess is it was just more work and we want to get something out the door
(12:35:06 PM) cboltz: probably because "nobody did it"
(12:35:45 PM) sarnold: probably paralyzed trying to come up with The Best Way to do it... I recall some talk about automatically building a giant pile of packages, one for each profile (family) and requirements to match...
(12:35:50 PM) jjohansen: cboltz: well it was our goal at one time to get all the profiles into their respective packages but that proved to be hard :)
(12:35:52 PM) cboltz: and it doesn't cause too much problems (only if a package comes with its own profile _and_ the parser is installed)
(12:36:15 PM) sarnold: cboltz: your suggestion sounds very practical to me. It's hard to see a downside, anyway. :)
(12:36:44 PM) cboltz: sarnold: well, the rpm database will grow a bit ;-)
(12:37:03 PM) sarnold: cboltz: hehe, it already tracks 27k files...
(12:37:26 PM) cboltz: jjohansen: IMHO getting the profiles into their respective packages only makes sence if the package maintainer cares about the profile
(12:37:39 PM) cboltz: otherwise it just means I have to update 20 packages instead of one ;-)
(12:38:10 PM) jjohansen: cboltz: yep, like I said it proved to be hard :)
(12:38:21 PM) cboltz: (ideally the _upstream_ maintainers should care, but that's even harder...)
(12:40:08 PM) jdstrand: ya
(12:40:32 PM) cboltz: BTW: after some discussion on the opensuse-factory ML around protecting stuff like firefox and acroread, I'm also thinking about creating an apparmor-profiles-paranoid-will-break-something package ;-)
(12:40:59 PM) sarnold: ooh
(12:41:14 PM) cboltz: (you all know that profiling applications with a "save as..." menu option never makes everybody happy)
(12:41:50 PM) cboltz: (and that's also the reason why I'm not too keen to add an acroread profile to the profiles package)
(12:42:43 PM) jjohansen: cboltz: well get them to patch the file dialog to use the new apparmor sandbox file dialog that is coming (eventually) and everyone will be happy :)
(12:43:12 PM) cboltz: that's the long-term goal, but I haven't seen this dialog yet ;-)
(12:43:28 PM) jjohansen: cboltz: hence the eventually
(12:43:41 PM) cboltz: I'm really looking forward to it, because it will solve lots of problems
(12:44:01 PM) jjohansen: yes, it will be nice to have
(12:44:51 PM) jjohansen: alright so can we get a sucker^w volunteer to do some base packaging work around this
(12:45:05 PM) jjohansen: it would make sense to have this upstream I think
(12:45:35 PM) cboltz: I'm not sure if upstream makes sense here ;-)
(12:45:45 PM) cboltz: basically I only have to split the %files in the spec
(12:46:12 PM) cboltz: so the only upstream thing that could be helpful is a README.packaging that recommends to split profiles and abstractions etc. in separate packages
(12:46:20 PM) jjohansen: well, we do ship a reference set, and currently the abstractions and profiles are treated the same
(12:46:34 PM) jdstrand: I think that is probably right
(12:46:44 PM) jdstrand: it is a referene set, it can be shipped together
(12:47:42 PM) jdstrand: I can see the benefit of the split I guess, but README.packaging sounds easier, especially since distros may not use whatever split we come up with
(12:47:53 PM) jjohansen: heh, okay I'll defer, cboltz feel free to submit patches to the README :)
(12:48:18 PM) jjohansen: might not but are lazy so are likely too
(12:48:28 PM) ***jdstrand nods
(12:48:45 PM) cboltz: I'll send a patch whenever I'm bored ;-)  (which doesn't happen too often)
(12:50:07 PM) jjohansen: Alright moving on
(12:50:26 PM) jjohansen: next meeting.  Should we move back to tuesday?
(12:50:56 PM) jjohansen: And if so March 2 or March 9th?
(12:51:04 PM) jjohansen: gah, stupid jj.
(12:51:13 PM) jjohansen: April 2 or April 9th
(12:51:51 PM) ***jjohansen would really like to have an extra February of dev time
(12:51:55 PM) jdstrand: I'd suggest 9th
(12:52:08 PM) jdstrand: but it can be either
(12:52:13 PM) jdstrand: (imho)
(12:52:13 PM) sarnold: n odifference for me
(12:52:34 PM) cboltz: I don't really care about the day, and both dates you proposed are OK for me
(12:53:00 PM) sbeattie: I'm okay with either
(12:53:11 PM) jjohansen: alright thats good enough for me
(12:53:11 PM) jjohansen: Tuesday April 9th, @20:00 UTC
(12:53:29 PM) jjohansen: does anyone have anything else they would like to discuss
(12:53:30 PM) sbeattie: would that be the intended regular date, 2nd tues of each month?
(12:53:42 PM) sbeattie: (just to try for a consistent schedule)
(12:53:47 PM) jjohansen: sbeattie: yeah that is what we have tried for
(12:54:20 PM) sbeattie: okay, couldn't rmemeber if it was 1st or 2nd tues. Works for me,
(12:54:35 PM) jjohansen: hrmm or was it first tuesday? Anyways I am good with codifying it as we try for the 2nd
(12:54:49 PM) cboltz: the 2nd will avoid April 1st 2014 ;-)
(12:55:16 PM) jjohansen: well that settles it then
(12:55:17 PM) ***jdstrand votes for 2nd tuesday, but doesn't have a strong opinion
(12:55:55 PM) ***cboltz votes for the first because he wants to do some april fool's jokes next year
(12:56:20 PM) jdstrand: heh
(12:57:53 PM) jjohansen: alright thanks for coming everyone, see you on the 9th
(12:57:58 PM) jjohansen: or sooner
(12:58:02 PM) jdstrand: thanks jjohansen! :)
(12:58:05 PM) mdeslaur: thanks jjohansen!
(12:58:07 PM) cboltz: I have two small things left ;-)
(12:58:19 PM) cboltz: one: any news on updating the wiki?
(12:58:31 PM) jjohansen: cboltz: oh, drat
(12:59:02 PM) cboltz: two: did someone write a description for a GSoC project about rewriting the tools + adding some features?
(12:59:17 PM) jjohansen: no, no news on the wiki we really do need to do that. I'll poke kees to remind me about who I need to contact
(12:59:58 PM) jjohansen: cboltz: oh drat no I haven't managed to get to that yet, sarnold have you?
(01:00:26 PM) sarnold: no, I didn't, I thought got a bit intimidated when I saw the other proposals were more than just hand-waving :)
(01:00:49 PM) jjohansen: alright I will see what I can come up with this weekend
(01:01:34 PM) jjohansen: and then I can send it to the ml for people to help with revisions
(01:01:56 PM) ***jjohansen sticks a sticky to his monitor
(01:02:22 PM) cboltz: another one? how big is your monitor? ;-)
(01:02:41 PM) jjohansen: all too small
(01:03:15 PM) cboltz: for the stickies or to display the applications?
(01:04:02 PM) jjohansen: stickies, and well I guess trying to see applications through all the stickies
(01:04:28 PM) cboltz: ;-)
(02:15:46 PM) terryh left the room (quit: Ping timeout: 480 seconds).
(03:46:45 PM) cboltz left the room (quit: ).