syncdaemon should have AppArmor profile

Here's a profile that works for me -- likely will need to be tuned for new user directory creation, but that should be trivial.

This should ship in the package in /etc/apparmor.d and gain the appropriate maintainer-script stanzas to activate the profile on install. For more details see:
https://help.ubuntu.com/community/AppArmor#Creating%20a%20new%20profile

Hi Kees, this is a great idea, and thank you for creating the initial profile! I believe this initial profile is too restrictive, as in Lucid users can tell the syncdaemon to manage any folder in their home directory. Would it be appropriate to give syncdaemon access to everything in the users home directory, or is something more complex needed for that case?

Ah, I didn't see anywhere to configure the syncdaemon, so I was hoping it
was just the "Ubuntu One" directory.

It could be made to r/w the entire home directory, but that defeats the
purpose a bit (for me). Feel free to adjust as needed, though! It'd
still be nice to have it isolated just to the home directory.

The profile in the bzr tree won't be sufficient, @{HOME}/* rw, should likely be @{HOME}/** rw, otherwise subdirectories will not be included. It'd be nice if some areas of the home directory were protected (ssh keys, gpg keys, etc) please see the firefox profile for examples.

On 03/08/2010 02:58 PM, Kees Cook wrote:
> The profile in the bzr tree won't be sufficient, @{HOME}/* rw, should
> likely be @{HOME}/** rw, otherwise subdirectories will not be included.
> It'd be nice if some areas of the home directory were protected (ssh
> keys, gpg keys, etc) please see the firefox profile for examples.
>
OK, thanks! I'll update as suggested.

This is milestoned for ubuntu-10.04-beta-1 -- what is the status for getting this in before then?

I have proposed the fix branch for merge. I'm awaiting review. I've addressed the needs-fixing item listed.

Okay, unmilestoning, as we keep seeing changing behavior with the profile. This should be better tested and rolled out in M, instead.

This is unfortunate. Could a disabled profile be shipped instead or at the very least an 'example profile' be shipped in /usr/share/doc? This way users can at least test and use the profile and give feedback along the way.

I'm investigating the best way of implementing Jamie's suggestion. It would be great to get user feedback on this.

Rick, this is actually quite easy. Ship the profile as if it is enforcing, then put a symlink to it in /etc/apparmor.d/disable. Eg, if you install the profile to /etc/apparmor.d/usr.lib.ubuntuone-client.ubuntuone-syncdaemon, then do:
# ln -s /etc/apparmor.d/usr.lib.ubuntuone-client.ubuntuone-syncdaemon /etc/apparmor.d/disable/usr.lib.ubuntuone-client.ubuntuone-syncdaemon

You can see the firefox packaging for a (rather complicated) example. libapache2-mod-apparmor has a less complicated example I think.

I'm going to update the branch as described.

Rick, curious on the status of the disabled profile. Will it make it into Lucid?

On 04/09/2010 10:59 AM, Jamie Strandboge wrote:
> Rick, curious on the status of the disabled profile. Will it make it
> into Lucid?
>
I had one failed attempt where I tried to handle it in debian/rules

I downloaded the source for the examples you referenced, but got side
tracked with operations stuff, and then was rather ill last night and
today. I'm hopeful that I can get this done either over the weekend or
on Monday. It shouldn't be that difficult, I simply haven't done this
exact sort of thing before.

ping :)

Yep, rotated back to operations+ and will get the needful resolved during or shortly after UDS.

Tried to reply via email but LP no longer recognizes my signature :/

at this point this is a next-cycle type activity.

What is the status of this bug? If we are going to be shipping a disabled file instead of enforcing, we can mark as Wishlist/low instead.

Jamie,

My work was focused elsewhere this past cycle. I hope to revisit (or help someone else revisit) this in the future.