summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGuido Günther <agx@sigxcpu.org>2017-09-25 19:22:15 +0200
committerGuido Günther <agx@sigxcpu.org>2017-09-28 20:08:42 +0200
commitbfdeaac7ef5c4816759acb0dddc299a58bf27755 (patch)
tree2138fd1c305406159652fb38b7d1f608cf5c02b6
Initial commitHEADmaster
-rw-r--r--.gitignore3
-rw-r--r--Makefile9
-rw-r--r--profiles/Makefile2
-rw-r--r--profiles/apache2.conf81
-rw-r--r--profiles/apache2.d/kopano-webapp26
-rw-r--r--profiles/kopano-webapp28
-rw-r--r--profiles/usr.sbin.apache2109
-rw-r--r--profiles/usr.sbin.kopano-dagent35
-rw-r--r--profiles/usr.sbin.kopano-search50
-rw-r--r--profiles/usr.sbin.kopano-server43
-rw-r--r--profiles/usr.sbin.mysqld152
-rw-r--r--talk.org309
-rw-r--r--talk.pdfbin0 -> 168780 bytes
13 files changed, 847 insertions, 0 deletions
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..93a74fb
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,3 @@
+*~
+*.log
+*.tex
diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..9390105
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,9 @@
+all: talk.pdf
+
+talk.pdf: talk.org
+ # org-src-preserve-indentation prevents spaces converted to tabs in babel)
+ emacs -batch $< --eval='(setq org-src-preserve-indentation t)' \
+ --eval='(org-beamer-export-to-pdf)'
+
+clean:
+ rm -f *.tex
diff --git a/profiles/Makefile b/profiles/Makefile
new file mode 100644
index 0000000..210b72f
--- /dev/null
+++ b/profiles/Makefile
@@ -0,0 +1,2 @@
+all:
+ for p in usr.sbin.kopano-{dagent,server} usr.sbin.mysqld usr.sbin.kopano-search apache2.d/kopano-webapp; do scp autopkgtest:/etc/apparmor.d/$$p ./$$p; done
diff --git a/profiles/apache2.conf b/profiles/apache2.conf
new file mode 100644
index 0000000..ce0095c
--- /dev/null
+++ b/profiles/apache2.conf
@@ -0,0 +1,81 @@
+# example main configuration for kopano-webapp
+#vim: set ft=apache ts=4 sw=4 expandtab :#
+
+<Directory /usr/share/kopano-webapp/>
+ DirectoryIndex index.php
+ Options -Indexes +FollowSymLinks
+ AllowOverride Options
+
+ <IfModule apparmor_module>
+ AAHatName kopano-webapp
+ </IfModule>
+
+ # Only server Apache2.4
+ <IfVersion >= 2.3>
+ Require all granted
+ </IfVersion>
+
+ FileETag All
+
+ # Uncomment to enhance security of WebApp by restricting cookies to
+ # only be provided over HTTPS connections.
+ # php_flag session.cookie_secure on
+ # php_flag session.cookie_httponly on
+
+ # The maximum POST limit. To upload large files, this value must be
+ # larger than upload_max_filesize.
+ php_value post_max_size 31M
+ php_value upload_max_filesize 30M
+
+ # Manipulate the cache control headers if mod_expires and
+ # mod_headers are both enabled; otherwise the client will depend
+ # on the ETag header. However, you can set FileETag to "None" if
+ # you have multiple servers serving WebApp to the same user. In
+ # that case, apache will fall back to the config below so make
+ # sure these two modules are loaded!
+ <IfModule expires_module>
+ <IfModule headers_module>
+ ExpiresActive On
+ ExpiresDefault "now"
+
+ <FilesMatch "\.(jpg|gif|png)$">
+ # All (static) resources set to 2 months expiration time.
+ ExpiresDefault "access plus 2 months"
+ Header append Cache-Control "public"
+ </FilesMatch>
+
+ <FilesMatch "\.(js|css)$">
+ # All non-dynamic files set to 2 weeks expiration time.
+ ExpiresDefault "access plus 2 weeks"
+ # User agents are requested to revalidate for each resource
+ # so that the server can always serve a newer version if
+ # necessary.
+ Header append Cache-Control "no-cache, must-revalidate"
+
+ # Treat IE a little differently due to the remarks on no-cache
+ # on http://support.microsoft.com/kb/234067
+ <IfModule setenvif_module>
+ BrowserMatch MSIE ie_bug
+ </IfModule>
+ Header set Cache-Control "must-revalidate, private" env=ie_bug
+ </FilesMatch>
+
+ <filesMatch "\.(php)$">
+ # PHP files must always be retrieved from the server.
+ ExpiresActive Off
+ Header set Cache-Control "private, no-cache, no-store, proxy-revalidate, no-transform"
+ Header set Pragma "no-cache"
+ </filesMatch>
+ </IfModule>
+ </IfModule>
+
+ # Enable gzip compression if the module is available
+ <IfModule deflate_module>
+ <filesMatch "\.(js|css)$">
+ SetOutputFilter DEFLATE
+ </filesMatch>
+ </IfModule>
+
+</Directory>
+
+# vim: autoindent ts=4 sw=4 expandtab softtabstop=4 ft=conf
diff --git a/profiles/apache2.d/kopano-webapp b/profiles/apache2.d/kopano-webapp
new file mode 100644
index 0000000..17654c5
--- /dev/null
+++ b/profiles/apache2.d/kopano-webapp
@@ -0,0 +1,26 @@
+# Last Modified: Fri Sep 11 13:27:22 2009
+# Author: Guido Günther <agx@sigxcpu.org>
+
+ ^kopano-webapp {
+ #include <abstractions/apache2-common>
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/php5>
+
+ @{PROC}/@{pid}/task/@{tid}/comm rw,
+ @{PROC}/@{pid}/cmdline r,
+
+ /etc/gss/mech.d/ r,
+ /etc/gss/mech.d/*.conf r,
+
+ /etc/kopano/webapp/config.php r,
+
+ /usr/share/kopano-webapp/** r,
+
+ /var/lib/kopano-webapp/tmp/** rwk,
+
+ /var/log/apache2/ r,
+ # FIXME: we should use separate logfiles for kopano upfront
+ /var/log/apache2/error.log rw,
+ /var/log/apache2/other_vhosts_access.log rw,
+ }
diff --git a/profiles/kopano-webapp b/profiles/kopano-webapp
new file mode 100644
index 0000000..28d11bd
--- /dev/null
+++ b/profiles/kopano-webapp
@@ -0,0 +1,28 @@
+# Author: Guido Günther <agx@sigxcpu.org>
+
+ ^kopano-webapp {
+ #include <abstractions/apache2-common>
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/php5>
+
+ @{PROC}/@{pid}/task/@{tid}/comm rw,
+ @{PROC}/@{pid}/cmdline r,
+
+ /etc/gss/mech.d/ r,
+ /etc/gss/mech.d/*.conf r,
+
+ /etc/kopano/webapp/*.php r,
+
+ /usr/share/kopano-webapp/** r,
+
+ /var/lib/kopano-webapp/tmp/** rwk,
+
+ /var/log/apache2/ r,
+ # FIXME: we should use separate logfiles for kopano upfront
+ /var/log/apache2/error.log rw,
+ /var/log/apache2/other_vhosts_access.log rw,
+
+ # Useful when in debugging mode
+ /usr/share/kopano-webapp/debug.txt rw,
+ }
diff --git a/profiles/usr.sbin.apache2 b/profiles/usr.sbin.apache2
new file mode 100644
index 0000000..dd23f51
--- /dev/null
+++ b/profiles/usr.sbin.apache2
@@ -0,0 +1,109 @@
+# Author: Marc Deslauriers <marc.deslauriers@ubuntu.com>
+
+#include <tunables/global>
+/usr/sbin/apache2 flags=(attach_disconnected) {
+
+ # This profile is completely permissive.
+ # It is designed to target specific applications using mod_apparmor,
+ # hats, and the apache2.d directory.
+ #
+ # In order to enable this profile, you must:
+ #
+ # 0- Stop apache:
+ # sudo service apache2 stop
+ #
+ # 1- Enable the profile:
+ # sudo aa-enforce /etc/apparmor.d/usr.sbin.apache2
+ #
+ # 2- Load the mpm_prefork and mod_apparmor modules:
+ # sudo a2dismod <other non-prefork mpm>
+ # sudo a2enmod mpm_prefork
+ # sudo a2enmod apparmor
+ # sudo service apache2 restart
+ #
+ # 3- Place an appropriate profile containing the desired hat in the
+ # /etc/apparmor.d/apache2.d directory. Such profiles must include
+ # the "apache2-common" abstraction:
+ #
+ # ^example.com flags=(complain) {
+ # #include <abstractions/apache2-common>
+ # /var/www/html/ r,
+ # /var/www/html/** r,
+ # /var/log/apache2/*.log w,
+ # }
+ #
+ # 4- Use the "AADefaultHatName" apache configuration option to specify a
+ # hat to be used for a given apache virtualhost or "AAHatName" for
+ # a given apache directory or location directive:
+ #
+ # <VirtualHost example.com:80>
+ # <IfModule mod_apparmor.c>
+ # AADefaultHatName example.com
+ # </IfModule>
+ # ...
+ # </VirtualHost>
+ #
+ #
+ # There is an example profile for phpsysinfo included in the
+ # apparmor-profiles package. To try it:
+ #
+ # 1- Install the phpsysinfo and the apparmor-profiles packages:
+ # sudo apt-get install phpsysinfo apparmor-profiles
+ #
+ # 2- Enable the main apache2 profile
+ # sudo aa-enforce /etc/apparmor.d/usr.sbin.apache2
+ #
+ # 3- Configure apache with the following (or similar):
+ # Alias /phpsysinfo /usr/share/phpsysinfo
+ # <Location /phpsysinfo>
+ # <IfModule mod_apparmor.c>
+ # AAHatName phpsysinfo
+ # </IfModule>
+ #
+ # # adjust as necessary:
+ # Options None
+ # Require local
+ # Require ip 192.168.0.0/16
+ # </Location>
+ #
+
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+
+ # Send signals to all hats.
+ signal (send) peer=@{profile_name}//*,
+
+ capability dac_override,
+ capability kill,
+ capability net_bind_service,
+ capability setgid,
+ capability setuid,
+ capability sys_tty_config,
+
+ / rw,
+ /** mrwlkix,
+
+
+ ^DEFAULT_URI flags=(attach_disconnected) {
+ #include <abstractions/base>
+ #include <abstractions/apache2-common>
+
+ / rw,
+ /** mrwlkix,
+ }
+
+ ^HANDLING_UNTRUSTED_INPUT flags=(attach_disconnected) {
+ #include <abstractions/apache2-common>
+
+ / rw,
+ /** mrwlkix,
+ }
+
+ # This directory contains web application
+ # package-specific apparmor files.
+
+ #include <apache2.d>
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.sbin.apache2>
+}
diff --git a/profiles/usr.sbin.kopano-dagent b/profiles/usr.sbin.kopano-dagent
new file mode 100644
index 0000000..068919b
--- /dev/null
+++ b/profiles/usr.sbin.kopano-dagent
@@ -0,0 +1,35 @@
+#include <tunables/global>
+
+/usr/sbin/kopano-dagent {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/user-tmp>
+ #include <abstractions/python>
+
+ capability chown,
+ capability dac_override,
+ capability dac_read_search,
+ capability setgid,
+ capability setuid,
+
+ @{PROC}/@{pid}/task/@{tid}/comm rw,
+ @{PROC}/@{pid}/cmdline r,
+
+ /etc/gai.conf r,
+ /etc/gss/mech.d/ r,
+ /etc/gss/mech.d/*.conf r,
+ /etc/kopano/dagent.cfg r,
+
+ /usr/share/kopano-dagent/python/*.py{,c} r,
+
+ /var/lib/kopano/dagent/plugins/ r,
+
+ /etc/mapi/ r,
+ /etc/mapi/* r,
+
+ /run/kopano/dagent.pid rw,
+ /var/log/kopano/dagent.log rw,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.sbin.kopano-dagent>
+}
diff --git a/profiles/usr.sbin.kopano-search b/profiles/usr.sbin.kopano-search
new file mode 100644
index 0000000..6ee700b
--- /dev/null
+++ b/profiles/usr.sbin.kopano-search
@@ -0,0 +1,50 @@
+# Last Modified: Fri Sep 8 14:49:47 2017
+#include <tunables/global>
+
+/usr/sbin/kopano-search {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/python>
+ #include <abstractions/user-tmp>
+
+ capability chown,
+ capability dac_override,
+ capability dac_read_search,
+ capability setgid,
+ capability setuid,
+
+ @{PROC}/@{pid}/cmdline r,
+ @{PROC}/@{pid}/mounts r,
+ @{PROC}/@{pid}/status r,
+ @{PROC}/@{pid}/task/@{tid}/comm rw,
+
+ deny /usr/lib/python2.7/dist-packages/kopano_search/*.pyc w,
+
+ # FIXME: it would be nice if search would use search- like pa
+ /dev/shm/* rwl,
+
+ /etc/gss/mech.d/ r,
+ /etc/gss/mech.d/*.conf r,
+
+ /lib/x86_64-linux-gnu/ld-*.so mr,
+ /usr/bin/python2.7 ix,
+ /usr/sbin/kopano-search r,
+
+ /etc/kopano/search.cfg r,
+
+ /bin/dash Pix,
+ /bin/rm Pix,
+ /sbin/ldconfig Pix,
+
+ /etc/mapi/ r,
+ /etc/mapi/kopano.inf r,
+ /etc/mapi/zcontacts.inf r,
+
+ /run/kopano/search.pid rw,
+ /run/kopano/search.pid.lock lrw,
+ /run/kopano/search.sock rw,
+ /run/kopano/*.*-* rw,
+
+ /var/lib/kopano/search/** rwlk,
+ /var/log/kopano/search.log rw,
+}
diff --git a/profiles/usr.sbin.kopano-server b/profiles/usr.sbin.kopano-server
new file mode 100644
index 0000000..0f3648c
--- /dev/null
+++ b/profiles/usr.sbin.kopano-server
@@ -0,0 +1,43 @@
+#include <tunables/global>
+
+/usr/sbin/kopano-server {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/user-tmp>
+ #include <abstractions/mysql>
+
+ capability chown,
+ capability dac_override,
+ capability dac_read_search,
+ capability setgid,
+ capability setuid,
+
+ network tcp,
+
+ /etc/kopano/debian-db.cfg r,
+ /etc/kopano/server.cfg r,
+
+ @{PROC}/@{pid}/task/@{tid}/comm rw,
+
+ /run/kopano/prio.sock rw,
+ /run/kopano/server.pid rw,
+ /run/kopano/server.sock rw,
+
+ /usr/lib/x86_64-linux-gnu/kopano/*.so m,
+
+ /var/lib/kopano/attachments/ r,
+ /var/lib/kopano/attachments/** rw,
+ /var/log/kopano/server.log rw,
+
+ /etc/kopano/userscripts/* Cxr -> kopano_userscripts,
+
+ # There's little we can do if the server is allowed to run
+ # arbitrary scripts
+ profile kopano_userscripts {
+ file,
+ network,
+ }
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.sbin.kopano-server>
+}
diff --git a/profiles/usr.sbin.mysqld b/profiles/usr.sbin.mysqld
new file mode 100644
index 0000000..862cee0
--- /dev/null
+++ b/profiles/usr.sbin.mysqld
@@ -0,0 +1,152 @@
+# Last Modified: Fri Mar 1 18:55:47 2013
+# Based on usr.sbin.mysqld packaged in mysql-server in Ubuntu.
+# This AppArmor profile has been copied under BSD License from
+# Percona XtraDB Cluster, along with some additions.
+
+#include <tunables/global>
+
+/usr/sbin/mysqld {
+ #include <abstractions/base>
+ #include <abstractions/mysql>
+ #include <abstractions/nameservice>
+ #include <abstractions/user-tmp>
+ #include <abstractions/winbind>
+
+ capability chown,
+ capability dac_override,
+ capability setgid,
+ capability setuid,
+ capability sys_rawio,
+ capability sys_resource,
+
+ network tcp,
+
+ /bin/dash rcx,
+ /dev/dm-0 r,
+ /etc/gai.conf r,
+ /etc/group r,
+ /etc/hosts.allow r,
+ /etc/hosts.deny r,
+ /etc/ld.so.cache r,
+ /etc/mtab r,
+ /etc/my.cnf r,
+ /etc/mysql/*.cnf r,
+ /etc/mysql/*.pem r,
+ /etc/mysql/conf.d/ r,
+ /etc/mysql/conf.d/* r,
+ /etc/mysql/mariadb.conf.d/ r,
+ /etc/mysql/mariadb.conf.d/* r,
+ /etc/nsswitch.conf r,
+ /etc/passwd r,
+ /etc/services r,
+ /run/mysqld/mysqld.pid w,
+ /run/mysqld/mysqld.sock w,
+ /sys/devices/system/cpu/ r,
+ owner /tmp/** lk,
+ /tmp/** rw,
+ /usr/lib/mysql/plugin/ r,
+ /usr/lib/mysql/plugin/*.so* mr,
+ /usr/sbin/mysqld mr,
+ /usr/share/mysql/** r,
+ /var/lib/mysql/ r,
+ /var/lib/mysql/** rwk,
+ /var/log/mysql.err rw,
+ /var/log/mysql.log rw,
+ /var/log/mysql/ r,
+ /var/log/mysql/* rw,
+ /var/run/mysqld/mysqld.pid w,
+ /var/run/mysqld/mysqld.sock w,
+
+
+ profile /bin/dash {
+ #include <abstractions/base>
+ #include <abstractions/bash>
+ #include <abstractions/mysql>
+ #include <abstractions/nameservice>
+ #include <abstractions/perl>
+
+
+
+ /bin/cat rix,
+ /bin/dash rix,
+ /bin/date rix,
+ /bin/grep rix,
+ /bin/nc.openbsd rix,
+ /bin/netstat rix,
+ /bin/ps rix,
+ /bin/rm rix,
+ /bin/sed rix,
+ /bin/sleep rix,
+ /bin/tar rix,
+ /bin/which rix,
+ /dev/tty rw,
+ /etc/ld.so.cache r,
+ /etc/my.cnf r,
+ /proc/ r,
+ /proc/*/cmdline r,
+ /proc/*/fd/ r,
+ /proc/*/net/dev r,
+ /proc/*/net/if_inet6 r,
+ /proc/*/net/tcp r,
+ /proc/*/net/tcp6 r,
+ /proc/*/stat r,
+ /proc/*/status r,
+ /proc/sys/kernel/pid_max r,
+ /proc/tty/drivers r,
+ /proc/uptime r,
+ /proc/version r,
+ /sbin/ifconfig rix,
+ /sys/devices/system/cpu/ r,
+ /tmp/** rw,
+ /usr/bin/cut rix,
+ /usr/bin/dirname rix,
+ /usr/bin/gawk rix,
+ /usr/bin/innobackupex rix,
+ /usr/bin/mysql rix,
+ /usr/bin/perl rix,
+ /usr/bin/seq rix,
+ /usr/bin/wsrep_sst* rix,
+ /usr/bin/wsrep_sst_common r,
+ /usr/bin/xtrabackup* rix,
+ /var/lib/mysql/ r,
+ /var/lib/mysql/** rw,
+ /var/lib/mysql/*.log w,
+ /var/lib/mysql/*.err w,
+
+# MariaDB additions
+ ptrace peer=@{profile_name},
+
+ /bin/hostname rix,
+ /bin/ip rix,
+ /bin/mktemp rix,
+ /bin/ss rix,
+ /bin/sync rix,
+ /bin/touch rix,
+ /bin/uname rix,
+ /etc/mysql/*.cnf r,
+ /etc/mysql/conf.d/ r,
+ /etc/mysql/conf.d/* r,
+ /proc/*/attr/current r,
+ /proc/*/fdinfo/* r,
+ /proc/*/net/* r,
+ /proc/locks r,
+ /proc/sys/net/ipv4/ip_local_port_range r,
+ /run/mysqld/mysqld.sock rw,
+ /sbin/ip rix,
+ /usr/bin/basename rix,
+ /usr/bin/du rix,
+ /usr/bin/find rix,
+ /usr/bin/lsof rix,
+ /usr/bin/my_print_defaults rix,
+ /usr/bin/mysqldump rix,
+ /usr/bin/pv rix,
+ /usr/bin/rsync rix,
+ /usr/bin/socat rix,
+ /usr/bin/tail rix,
+ /usr/bin/timeout rix,
+ /usr/bin/xargs rix,
+ /usr/bin/xbstream rix,
+ }
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.sbin.mysqld>
+}
diff --git a/talk.org b/talk.org
new file mode 100644
index 0000000..4ad6336
--- /dev/null
+++ b/talk.org
@@ -0,0 +1,309 @@
+#+TODO: TODO(t) IN-PROGRESS DONE
+#+STARTUP: indent
+#+OPTIONS: ':nil *:t -:t ::t <:t H:2 \n:nil ^:t arch:headline
+#+OPTIONS: author:t broken-links:nil c:nil creator:nil
+#+OPTIONS: d:(not "LOGBOOK") date:t e:t email:nil f:t inline:t num:t
+#+OPTIONS: p:nil pri:nil prop:nil stat:t tags:t tasks:t tex:t
+#+OPTIONS: timestamp:t title:t toc:t todo:t |:t
+#+TITLE: Securing Kopano with Apparmor
+#+SUBTITLE: Kopano Conference 2017, Arnhem NL
+#+DATE: 2017-09-28
+#+AUTHOR: Guido Günther
+#+EMAIL: agx@sigxcpu.org
+#+LANGUAGE: en
+#+SELECT_TAGS: export
+#+EXCLUDE_TAGS: noexport
+#+CREATOR: Emacs 25.2.2 (Org mode 9.0.9)
+#+latex_header: \mode<beamer>{\usetheme{Copenhagen}}
+#+latex_header: \setbeamertemplate{headline}{}
+#+latex_header: \AtBeginSection[]{\begin{frame}<beamer>\frametitle{Topic}\tableofcontents[currentsection]\end{frame}}
+#+COLUMNS: %40ITEM %10BEAMER_env(Env) %9BEAMER_envargs(Env Args) %4BEAMER_col(Col) %10BEAMER_extra(Extra)
+
+* Who am I
+:PROPERTIES:
+:UNNUMBERED: t
+:END:
+
+** About me
+
+- Debian Developer (libvirt et al., gbp, LTS, ...)
+- GNOME contributor
+- FSFE Fellow
+- Freelancing Free Software Developer
+
+** Intro
+:PROPERTIES:
+:BEAMER_env: note
+:END:
+- Purpose: learn what apparmor is, how to use it, how to debug, status of kopano apparmor
+
+* What is Apparmor
+
+** What is Apparmor
+
+- pathname based Mandatory access control (MAC)
+- Linux LSM, userspace tools and profiles
+- Confines application to a limited set of resources via *profiles*
+- These control
+ - file read, write, execute, lock
+ - Network access
+ - raw socket access
+ - allowed capabilities
+ - rlimits
+ - tracing
+ - (dbus, signals)
+
+** Apparmor Policy Example I
+:PROPERTIES:
+:BEAMER_ENVARGS: [t]
+:END:
+
+*** Apparmor Policy Example I :B_ignoreheading:
+:PROPERTIES:
+:BEAMER_env: ignoreheading
+:END:
+#+BEAMER: \fontsize{9}{7.2}\selectfont
+#+name: Policy example
+#+BEGIN_EXAMPLE
+
+/usr/sbin/kopano-server {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/user-tmp>
+
+ capability chown,
+ ...
+ capability setuid,
+
+ network tcp,
+
+ /etc/kopano/debian-db.cfg r,
+ /etc/kopano/server.cfg r,
+
+ @{PROC}/@{pid}/task/@{tid}/comm rw,
+ ...
+
+#+END_EXAMPLE
+
+** Apparmor Policy Example II
+*** Apparmor Policy Example II :B_ignoreheading:
+:PROPERTIES:
+:BEAMER_env: ignoreheading
+:END:
+#+BEAMER: \fontsize{8}{7.2}\selectfont
+#+BEGIN_EXAMPLE
+ ...
+ /run/kopano/prio.sock rw,
+ /run/kopano/server.pid rw,
+ /run/kopano/server.sock rw,
+
+ /usr/lib/x86_64-linux-gnu/kopano/*.so m,
+
+ ...
+ profile kopano_userscripts {
+ file,
+ network,
+ }
+ ...
+}
+#+END_EXAMPLE
+
+** Building and Debugging profiles
+
+- Denials are logged in kernel log, use *dmesg*
+- aa-complain <program>
+- aa-genprof <program>
+
+** Apparmor Distro Support
+#+BEAMER: \pause
+*** Enabled by default in
+
+- Ubuntu (lots of code upstreamed in 4.13)
+- OpenSuSE
+
+#+BEAMER: \pause
+*** Installation on Debian
+https://wiki.debian.org/AppArmor/HowToUse
+
+#+BEGIN_SRC sh
+ sudo apt install apparmor apparmor-{utils,profiles}
+ mkdir /etc/default/grub.d
+ echo 'GRUB_CMDLINE_LINUX_DEFAULT="' \
+ '$GRUB_CMDLINE_LINUX_DEFAULT' \
+ 'apparmor=1 security=apparmor"' \
+ > /etc/default/grub.d/apparmor.cfg
+ update-grub && reboot
+
+ aa-enabled && sudo aa-status
+#+END_SRC
+
+* Apparmor and Kopano
+** Security Precautions in Kopano
+
+- Services run as user kopano nowadays
+- Built with hardening support (in Debian)
+
+- But all services run as the _same_ user
+
+** Why is MAC useful
+
+- Webapp listens on the internet
+- Z-Push listens on the internet
+- e.g. kopano-dagent and kopano-search process untrusted input
+- ...
+
+** Restricting the MariaDB/Mysql I
+*** Add and activate the profile
+
+#+BEGIN_SRC sh
+wget 'https://raw.githubusercontent.com/MariaDB/' \
+ 'server/10.2/' \
+ 'support-files/policy/apparmor/usr.sbin.mysqld'
+touch /etc/apparmor.d/local/usr.sbin.mysqld
+apparmor_parser -a /etc/apparmor.d/usr.sbin.mysqld
+#+END_SRC
+
+Needs current git version
+
+*** Output
+#+BEGIN_EXAMPLE
+1 processes are unconfined but have a profile defined.
+ /usr/sbin/mysqld (592)
+#+END_EXAMPLE
+
+** Restricting the MariaDB/Mysql II
+*** Restart the service
+#+BEGIN_SRC sh
+/etc/init.d/mysql restart
+#+END_SRC
+
+*** Output
+#+BEGIN_EXAMPLE
+1 processes are in complain mode.
+ /usr/sbin/mysqld (2461)
+#+END_EXAMPLE
+
+** Restricting the MariaDB/Mysql III
+*** Enforce the policy
+#+BEGIN_SRC sh
+aa-enforce /usr/sbin/mysqld
+#+END_SRC
+
+*** Output
+#+BEGIN_EXAMPLE
+1 processes are in enforce mode.
+ /usr/sbin/mysqld (2461)
+#+END_EXAMPLE
+
+** Restricting kapano-server
+- new profile created from scratch
+*** Add the apparmor policy
+#+BEGIN_SRC sh
+ cd /etc/apparmor.d
+ cp profiles/usr.sbin.kopano-server .
+ touch local/usr.sbin.kopano-server
+ apparmor_parser -a usr.sbin.kopano-server
+ systemctl restart kopano-server
+#+END_SRC
+
+** Restricting kopano-dagent
+
+*** kopano-dagent
+- Reads untrusted network traffic
+- Similar to the server but far less permissions
+- New profile created from scratch
+
+*** Add the apparmor policy
+#+BEGIN_SRC sh
+ cp profiles/usr.sbin.kopano-dagent /etc/apparmor.d/
+ touch /etc/apparmor.d/local/usr.sbin.kopano-dagent
+ apparmor_parser -a /etc/apparmor.d/usr.sbin.kopano-dagent
+#+END_SRC
+
+** Restricting kopano-search
+- Indexes untrusted data
+- Basic profile
+*** Kopano Search
+
+#+BEGIN_SRC
+touch local/usr.sbin.kopano-search
+cp profiles/usr/sbin.kopano-search /etc/apparmor.d
+apparmor_parser -a /etc/apparmor.d/usr.sbin.kopano-search
+#+END_SRC
+
+** TODO Other core services and helpers
+
+kopano-archiver, kopano-backup, kopano-gateway, kopano-ical,
+kopnao-monitor, kopano-spooler
+
+** Restricting Webapp (Apache)
+*** Restricting Apache itself
+
+#+BEGIN_SRC sh
+apt-get install libapache2-mod-apparmor
+rm /etc/apparmor.d/disable/usr.sbin.apache2
+apparmor_parser -r /etc/apparmor.d/usr.sbin.apache2
+aa-status
+#+END_SRC
+
+** Restricting Webapp (Webapp)
+- New profile created from scratch
+- Add AAHatName to /etc/kopano/apache2.conf
+- Enable profile
+*** Restricting Webapp
+#+BEGIN_SRC sh
+ cp profiles/kopano-webapp /etc/apparmor.d/apache2.d/
+ apparmor_parser -r /etc/apparmor.d/usr.sbin.apache2
+ a2enmod apparmor
+ systemctl restart apache2
+#+END_SRC
+
+** TODO Other Kopano Components
+
+- +Z-Push+
+- +Deskapp+
+ (but see http://bugs.debian.org/742829 for chromium)
+- +Mattermost+
+
+** How you can help
+
+See above
+
+** Upstreaming Status
+- [-] mariadb profile fixes
+ - [X] https://github.com/MariaDB/server/pull/447
+ - [ ] https://bugs.debian.org/875890
+- [ ] apache2 profile fixes
+ - [ ] https://code.launchpad.net/~intrigeri/apparmor/apache2-attach_disconnected/+merge/331065
+ - [ ] http://bugs.debian.org/875892
+- [-] kopanocore profiles
+ - [ ] Upstream https://github.com/Kopano-mirror/kopano-core/pull/1
+ - [X] Debian Package
+- [X] kopano-webapp profile
+ - [ ] Upstream not yet submitted
+ - [X] Debian: Pushed to git
+- [ ] dh-apparmor
+ - Support /etc/apparmor.d/apache/: http://bugs.debian.org/876647
+
+* Appendix :B_appendix:
+ :PROPERTIES:
+ :BEAMER_env: appendix
+ :END:
+
+** Thanks
+
+- Send profile updates to <pkg-giraffe-discuss@lists.alioth.debian.org>
+- Questions?
+
+** Links
+- http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference
+
+** Status of Kopano in Debian
+
+- kopanocore 8.3.4 is in Buster/testing
+- z-push 2.3.8 is in experimental
+- Webapp 3.3.1 in waiting in new
+
+# Local Variables:
+# org-src-preserve-indentation: t
+# End:
diff --git a/talk.pdf b/talk.pdf
new file mode 100644
index 0000000..7f914ac
--- /dev/null
+++ b/talk.pdf
Binary files differ