From bfdeaac7ef5c4816759acb0dddc299a58bf27755 Mon Sep 17 00:00:00 2001 From: Guido Günther Date: Mon, 25 Sep 2017 19:22:15 +0200 Subject: Initial commit --- .gitignore | 3 + Makefile | 9 ++ profiles/Makefile | 2 + profiles/apache2.conf | 81 ++++++++++ profiles/apache2.d/kopano-webapp | 26 ++++ profiles/kopano-webapp | 28 ++++ profiles/usr.sbin.apache2 | 109 ++++++++++++++ profiles/usr.sbin.kopano-dagent | 35 +++++ profiles/usr.sbin.kopano-search | 50 +++++++ profiles/usr.sbin.kopano-server | 43 ++++++ profiles/usr.sbin.mysqld | 152 +++++++++++++++++++ talk.org | 309 +++++++++++++++++++++++++++++++++++++++ talk.pdf | Bin 0 -> 168780 bytes 13 files changed, 847 insertions(+) create mode 100644 .gitignore create mode 100644 Makefile create mode 100644 profiles/Makefile create mode 100644 profiles/apache2.conf create mode 100644 profiles/apache2.d/kopano-webapp create mode 100644 profiles/kopano-webapp create mode 100644 profiles/usr.sbin.apache2 create mode 100644 profiles/usr.sbin.kopano-dagent create mode 100644 profiles/usr.sbin.kopano-search create mode 100644 profiles/usr.sbin.kopano-server create mode 100644 profiles/usr.sbin.mysqld create mode 100644 talk.org create mode 100644 talk.pdf diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..93a74fb --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +*~ +*.log +*.tex diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..9390105 --- /dev/null +++ b/Makefile @@ -0,0 +1,9 @@ +all: talk.pdf + +talk.pdf: talk.org + # org-src-preserve-indentation prevents spaces converted to tabs in babel) + emacs -batch $< --eval='(setq org-src-preserve-indentation t)' \ + --eval='(org-beamer-export-to-pdf)' + +clean: + rm -f *.tex diff --git a/profiles/Makefile b/profiles/Makefile new file mode 100644 index 0000000..210b72f --- /dev/null +++ b/profiles/Makefile @@ -0,0 +1,2 @@ +all: + for p in usr.sbin.kopano-{dagent,server} usr.sbin.mysqld usr.sbin.kopano-search apache2.d/kopano-webapp; do scp autopkgtest:/etc/apparmor.d/$$p ./$$p; done diff --git a/profiles/apache2.conf b/profiles/apache2.conf new file mode 100644 index 0000000..ce0095c --- /dev/null +++ b/profiles/apache2.conf @@ -0,0 +1,81 @@ +# example main configuration for kopano-webapp +#vim: set ft=apache ts=4 sw=4 expandtab :# + + + DirectoryIndex index.php + Options -Indexes +FollowSymLinks + AllowOverride Options + + + AAHatName kopano-webapp + + + # Only server Apache2.4 + = 2.3> + Require all granted + + + FileETag All + + # Uncomment to enhance security of WebApp by restricting cookies to + # only be provided over HTTPS connections. + # php_flag session.cookie_secure on + # php_flag session.cookie_httponly on + + # The maximum POST limit. To upload large files, this value must be + # larger than upload_max_filesize. + php_value post_max_size 31M + php_value upload_max_filesize 30M + + # Manipulate the cache control headers if mod_expires and + # mod_headers are both enabled; otherwise the client will depend + # on the ETag header. However, you can set FileETag to "None" if + # you have multiple servers serving WebApp to the same user. In + # that case, apache will fall back to the config below so make + # sure these two modules are loaded! + + + ExpiresActive On + ExpiresDefault "now" + + + # All (static) resources set to 2 months expiration time. + ExpiresDefault "access plus 2 months" + Header append Cache-Control "public" + + + + # All non-dynamic files set to 2 weeks expiration time. + ExpiresDefault "access plus 2 weeks" + # User agents are requested to revalidate for each resource + # so that the server can always serve a newer version if + # necessary. + Header append Cache-Control "no-cache, must-revalidate" + + # Treat IE a little differently due to the remarks on no-cache + # on http://support.microsoft.com/kb/234067 + + BrowserMatch MSIE ie_bug + + Header set Cache-Control "must-revalidate, private" env=ie_bug + + + + # PHP files must always be retrieved from the server. + ExpiresActive Off + Header set Cache-Control "private, no-cache, no-store, proxy-revalidate, no-transform" + Header set Pragma "no-cache" + + + + + # Enable gzip compression if the module is available + + + SetOutputFilter DEFLATE + + + + + +# vim: autoindent ts=4 sw=4 expandtab softtabstop=4 ft=conf diff --git a/profiles/apache2.d/kopano-webapp b/profiles/apache2.d/kopano-webapp new file mode 100644 index 0000000..17654c5 --- /dev/null +++ b/profiles/apache2.d/kopano-webapp @@ -0,0 +1,26 @@ +# Last Modified: Fri Sep 11 13:27:22 2009 +# Author: Guido Günther + + ^kopano-webapp { + #include + #include + #include + #include + + @{PROC}/@{pid}/task/@{tid}/comm rw, + @{PROC}/@{pid}/cmdline r, + + /etc/gss/mech.d/ r, + /etc/gss/mech.d/*.conf r, + + /etc/kopano/webapp/config.php r, + + /usr/share/kopano-webapp/** r, + + /var/lib/kopano-webapp/tmp/** rwk, + + /var/log/apache2/ r, + # FIXME: we should use separate logfiles for kopano upfront + /var/log/apache2/error.log rw, + /var/log/apache2/other_vhosts_access.log rw, + } diff --git a/profiles/kopano-webapp b/profiles/kopano-webapp new file mode 100644 index 0000000..28d11bd --- /dev/null +++ b/profiles/kopano-webapp @@ -0,0 +1,28 @@ +# Author: Guido Günther + + ^kopano-webapp { + #include + #include + #include + #include + + @{PROC}/@{pid}/task/@{tid}/comm rw, + @{PROC}/@{pid}/cmdline r, + + /etc/gss/mech.d/ r, + /etc/gss/mech.d/*.conf r, + + /etc/kopano/webapp/*.php r, + + /usr/share/kopano-webapp/** r, + + /var/lib/kopano-webapp/tmp/** rwk, + + /var/log/apache2/ r, + # FIXME: we should use separate logfiles for kopano upfront + /var/log/apache2/error.log rw, + /var/log/apache2/other_vhosts_access.log rw, + + # Useful when in debugging mode + /usr/share/kopano-webapp/debug.txt rw, + } diff --git a/profiles/usr.sbin.apache2 b/profiles/usr.sbin.apache2 new file mode 100644 index 0000000..dd23f51 --- /dev/null +++ b/profiles/usr.sbin.apache2 @@ -0,0 +1,109 @@ +# Author: Marc Deslauriers + +#include +/usr/sbin/apache2 flags=(attach_disconnected) { + + # This profile is completely permissive. + # It is designed to target specific applications using mod_apparmor, + # hats, and the apache2.d directory. + # + # In order to enable this profile, you must: + # + # 0- Stop apache: + # sudo service apache2 stop + # + # 1- Enable the profile: + # sudo aa-enforce /etc/apparmor.d/usr.sbin.apache2 + # + # 2- Load the mpm_prefork and mod_apparmor modules: + # sudo a2dismod + # sudo a2enmod mpm_prefork + # sudo a2enmod apparmor + # sudo service apache2 restart + # + # 3- Place an appropriate profile containing the desired hat in the + # /etc/apparmor.d/apache2.d directory. Such profiles must include + # the "apache2-common" abstraction: + # + # ^example.com flags=(complain) { + # #include + # /var/www/html/ r, + # /var/www/html/** r, + # /var/log/apache2/*.log w, + # } + # + # 4- Use the "AADefaultHatName" apache configuration option to specify a + # hat to be used for a given apache virtualhost or "AAHatName" for + # a given apache directory or location directive: + # + # + # + # AADefaultHatName example.com + # + # ... + # + # + # + # There is an example profile for phpsysinfo included in the + # apparmor-profiles package. To try it: + # + # 1- Install the phpsysinfo and the apparmor-profiles packages: + # sudo apt-get install phpsysinfo apparmor-profiles + # + # 2- Enable the main apache2 profile + # sudo aa-enforce /etc/apparmor.d/usr.sbin.apache2 + # + # 3- Configure apache with the following (or similar): + # Alias /phpsysinfo /usr/share/phpsysinfo + # + # + # AAHatName phpsysinfo + # + # + # # adjust as necessary: + # Options None + # Require local + # Require ip 192.168.0.0/16 + # + # + + #include + #include + + # Send signals to all hats. + signal (send) peer=@{profile_name}//*, + + capability dac_override, + capability kill, + capability net_bind_service, + capability setgid, + capability setuid, + capability sys_tty_config, + + / rw, + /** mrwlkix, + + + ^DEFAULT_URI flags=(attach_disconnected) { + #include + #include + + / rw, + /** mrwlkix, + } + + ^HANDLING_UNTRUSTED_INPUT flags=(attach_disconnected) { + #include + + / rw, + /** mrwlkix, + } + + # This directory contains web application + # package-specific apparmor files. + + #include + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/profiles/usr.sbin.kopano-dagent b/profiles/usr.sbin.kopano-dagent new file mode 100644 index 0000000..068919b --- /dev/null +++ b/profiles/usr.sbin.kopano-dagent @@ -0,0 +1,35 @@ +#include + +/usr/sbin/kopano-dagent { + #include + #include + #include + #include + + capability chown, + capability dac_override, + capability dac_read_search, + capability setgid, + capability setuid, + + @{PROC}/@{pid}/task/@{tid}/comm rw, + @{PROC}/@{pid}/cmdline r, + + /etc/gai.conf r, + /etc/gss/mech.d/ r, + /etc/gss/mech.d/*.conf r, + /etc/kopano/dagent.cfg r, + + /usr/share/kopano-dagent/python/*.py{,c} r, + + /var/lib/kopano/dagent/plugins/ r, + + /etc/mapi/ r, + /etc/mapi/* r, + + /run/kopano/dagent.pid rw, + /var/log/kopano/dagent.log rw, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/profiles/usr.sbin.kopano-search b/profiles/usr.sbin.kopano-search new file mode 100644 index 0000000..6ee700b --- /dev/null +++ b/profiles/usr.sbin.kopano-search @@ -0,0 +1,50 @@ +# Last Modified: Fri Sep 8 14:49:47 2017 +#include + +/usr/sbin/kopano-search { + #include + #include + #include + #include + + capability chown, + capability dac_override, + capability dac_read_search, + capability setgid, + capability setuid, + + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/mounts r, + @{PROC}/@{pid}/status r, + @{PROC}/@{pid}/task/@{tid}/comm rw, + + deny /usr/lib/python2.7/dist-packages/kopano_search/*.pyc w, + + # FIXME: it would be nice if search would use search- like pa + /dev/shm/* rwl, + + /etc/gss/mech.d/ r, + /etc/gss/mech.d/*.conf r, + + /lib/x86_64-linux-gnu/ld-*.so mr, + /usr/bin/python2.7 ix, + /usr/sbin/kopano-search r, + + /etc/kopano/search.cfg r, + + /bin/dash Pix, + /bin/rm Pix, + /sbin/ldconfig Pix, + + /etc/mapi/ r, + /etc/mapi/kopano.inf r, + /etc/mapi/zcontacts.inf r, + + /run/kopano/search.pid rw, + /run/kopano/search.pid.lock lrw, + /run/kopano/search.sock rw, + /run/kopano/*.*-* rw, + + /var/lib/kopano/search/** rwlk, + /var/log/kopano/search.log rw, +} diff --git a/profiles/usr.sbin.kopano-server b/profiles/usr.sbin.kopano-server new file mode 100644 index 0000000..0f3648c --- /dev/null +++ b/profiles/usr.sbin.kopano-server @@ -0,0 +1,43 @@ +#include + +/usr/sbin/kopano-server { + #include + #include + #include + #include + + capability chown, + capability dac_override, + capability dac_read_search, + capability setgid, + capability setuid, + + network tcp, + + /etc/kopano/debian-db.cfg r, + /etc/kopano/server.cfg r, + + @{PROC}/@{pid}/task/@{tid}/comm rw, + + /run/kopano/prio.sock rw, + /run/kopano/server.pid rw, + /run/kopano/server.sock rw, + + /usr/lib/x86_64-linux-gnu/kopano/*.so m, + + /var/lib/kopano/attachments/ r, + /var/lib/kopano/attachments/** rw, + /var/log/kopano/server.log rw, + + /etc/kopano/userscripts/* Cxr -> kopano_userscripts, + + # There's little we can do if the server is allowed to run + # arbitrary scripts + profile kopano_userscripts { + file, + network, + } + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/profiles/usr.sbin.mysqld b/profiles/usr.sbin.mysqld new file mode 100644 index 0000000..862cee0 --- /dev/null +++ b/profiles/usr.sbin.mysqld @@ -0,0 +1,152 @@ +# Last Modified: Fri Mar 1 18:55:47 2013 +# Based on usr.sbin.mysqld packaged in mysql-server in Ubuntu. +# This AppArmor profile has been copied under BSD License from +# Percona XtraDB Cluster, along with some additions. + +#include + +/usr/sbin/mysqld { + #include + #include + #include + #include + #include + + capability chown, + capability dac_override, + capability setgid, + capability setuid, + capability sys_rawio, + capability sys_resource, + + network tcp, + + /bin/dash rcx, + /dev/dm-0 r, + /etc/gai.conf r, + /etc/group r, + /etc/hosts.allow r, + /etc/hosts.deny r, + /etc/ld.so.cache r, + /etc/mtab r, + /etc/my.cnf r, + /etc/mysql/*.cnf r, + /etc/mysql/*.pem r, + /etc/mysql/conf.d/ r, + /etc/mysql/conf.d/* r, + /etc/mysql/mariadb.conf.d/ r, + /etc/mysql/mariadb.conf.d/* r, + /etc/nsswitch.conf r, + /etc/passwd r, + /etc/services r, + /run/mysqld/mysqld.pid w, + /run/mysqld/mysqld.sock w, + /sys/devices/system/cpu/ r, + owner /tmp/** lk, + /tmp/** rw, + /usr/lib/mysql/plugin/ r, + /usr/lib/mysql/plugin/*.so* mr, + /usr/sbin/mysqld mr, + /usr/share/mysql/** r, + /var/lib/mysql/ r, + /var/lib/mysql/** rwk, + /var/log/mysql.err rw, + /var/log/mysql.log rw, + /var/log/mysql/ r, + /var/log/mysql/* rw, + /var/run/mysqld/mysqld.pid w, + /var/run/mysqld/mysqld.sock w, + + + profile /bin/dash { + #include + #include + #include + #include + #include + + + + /bin/cat rix, + /bin/dash rix, + /bin/date rix, + /bin/grep rix, + /bin/nc.openbsd rix, + /bin/netstat rix, + /bin/ps rix, + /bin/rm rix, + /bin/sed rix, + /bin/sleep rix, + /bin/tar rix, + /bin/which rix, + /dev/tty rw, + /etc/ld.so.cache r, + /etc/my.cnf r, + /proc/ r, + /proc/*/cmdline r, + /proc/*/fd/ r, + /proc/*/net/dev r, + /proc/*/net/if_inet6 r, + /proc/*/net/tcp r, + /proc/*/net/tcp6 r, + /proc/*/stat r, + /proc/*/status r, + /proc/sys/kernel/pid_max r, + /proc/tty/drivers r, + /proc/uptime r, + /proc/version r, + /sbin/ifconfig rix, + /sys/devices/system/cpu/ r, + /tmp/** rw, + /usr/bin/cut rix, + /usr/bin/dirname rix, + /usr/bin/gawk rix, + /usr/bin/innobackupex rix, + /usr/bin/mysql rix, + /usr/bin/perl rix, + /usr/bin/seq rix, + /usr/bin/wsrep_sst* rix, + /usr/bin/wsrep_sst_common r, + /usr/bin/xtrabackup* rix, + /var/lib/mysql/ r, + /var/lib/mysql/** rw, + /var/lib/mysql/*.log w, + /var/lib/mysql/*.err w, + +# MariaDB additions + ptrace peer=@{profile_name}, + + /bin/hostname rix, + /bin/ip rix, + /bin/mktemp rix, + /bin/ss rix, + /bin/sync rix, + /bin/touch rix, + /bin/uname rix, + /etc/mysql/*.cnf r, + /etc/mysql/conf.d/ r, + /etc/mysql/conf.d/* r, + /proc/*/attr/current r, + /proc/*/fdinfo/* r, + /proc/*/net/* r, + /proc/locks r, + /proc/sys/net/ipv4/ip_local_port_range r, + /run/mysqld/mysqld.sock rw, + /sbin/ip rix, + /usr/bin/basename rix, + /usr/bin/du rix, + /usr/bin/find rix, + /usr/bin/lsof rix, + /usr/bin/my_print_defaults rix, + /usr/bin/mysqldump rix, + /usr/bin/pv rix, + /usr/bin/rsync rix, + /usr/bin/socat rix, + /usr/bin/tail rix, + /usr/bin/timeout rix, + /usr/bin/xargs rix, + /usr/bin/xbstream rix, + } + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/talk.org b/talk.org new file mode 100644 index 0000000..4ad6336 --- /dev/null +++ b/talk.org @@ -0,0 +1,309 @@ +#+TODO: TODO(t) IN-PROGRESS DONE +#+STARTUP: indent +#+OPTIONS: ':nil *:t -:t ::t <:t H:2 \n:nil ^:t arch:headline +#+OPTIONS: author:t broken-links:nil c:nil creator:nil +#+OPTIONS: d:(not "LOGBOOK") date:t e:t email:nil f:t inline:t num:t +#+OPTIONS: p:nil pri:nil prop:nil stat:t tags:t tasks:t tex:t +#+OPTIONS: timestamp:t title:t toc:t todo:t |:t +#+TITLE: Securing Kopano with Apparmor +#+SUBTITLE: Kopano Conference 2017, Arnhem NL +#+DATE: 2017-09-28 +#+AUTHOR: Guido Günther +#+EMAIL: agx@sigxcpu.org +#+LANGUAGE: en +#+SELECT_TAGS: export +#+EXCLUDE_TAGS: noexport +#+CREATOR: Emacs 25.2.2 (Org mode 9.0.9) +#+latex_header: \mode{\usetheme{Copenhagen}} +#+latex_header: \setbeamertemplate{headline}{} +#+latex_header: \AtBeginSection[]{\begin{frame}\frametitle{Topic}\tableofcontents[currentsection]\end{frame}} +#+COLUMNS: %40ITEM %10BEAMER_env(Env) %9BEAMER_envargs(Env Args) %4BEAMER_col(Col) %10BEAMER_extra(Extra) + +* Who am I +:PROPERTIES: +:UNNUMBERED: t +:END: + +** About me + +- Debian Developer (libvirt et al., gbp, LTS, ...) +- GNOME contributor +- FSFE Fellow +- Freelancing Free Software Developer + +** Intro +:PROPERTIES: +:BEAMER_env: note +:END: +- Purpose: learn what apparmor is, how to use it, how to debug, status of kopano apparmor + +* What is Apparmor + +** What is Apparmor + +- pathname based Mandatory access control (MAC) +- Linux LSM, userspace tools and profiles +- Confines application to a limited set of resources via *profiles* +- These control + - file read, write, execute, lock + - Network access + - raw socket access + - allowed capabilities + - rlimits + - tracing + - (dbus, signals) + +** Apparmor Policy Example I +:PROPERTIES: +:BEAMER_ENVARGS: [t] +:END: + +*** Apparmor Policy Example I :B_ignoreheading: +:PROPERTIES: +:BEAMER_env: ignoreheading +:END: +#+BEAMER: \fontsize{9}{7.2}\selectfont +#+name: Policy example +#+BEGIN_EXAMPLE + +/usr/sbin/kopano-server { + #include + #include + #include + + capability chown, + ... + capability setuid, + + network tcp, + + /etc/kopano/debian-db.cfg r, + /etc/kopano/server.cfg r, + + @{PROC}/@{pid}/task/@{tid}/comm rw, + ... + +#+END_EXAMPLE + +** Apparmor Policy Example II +*** Apparmor Policy Example II :B_ignoreheading: +:PROPERTIES: +:BEAMER_env: ignoreheading +:END: +#+BEAMER: \fontsize{8}{7.2}\selectfont +#+BEGIN_EXAMPLE + ... + /run/kopano/prio.sock rw, + /run/kopano/server.pid rw, + /run/kopano/server.sock rw, + + /usr/lib/x86_64-linux-gnu/kopano/*.so m, + + ... + profile kopano_userscripts { + file, + network, + } + ... +} +#+END_EXAMPLE + +** Building and Debugging profiles + +- Denials are logged in kernel log, use *dmesg* +- aa-complain +- aa-genprof + +** Apparmor Distro Support +#+BEAMER: \pause +*** Enabled by default in + +- Ubuntu (lots of code upstreamed in 4.13) +- OpenSuSE + +#+BEAMER: \pause +*** Installation on Debian +https://wiki.debian.org/AppArmor/HowToUse + +#+BEGIN_SRC sh + sudo apt install apparmor apparmor-{utils,profiles} + mkdir /etc/default/grub.d + echo 'GRUB_CMDLINE_LINUX_DEFAULT="' \ + '$GRUB_CMDLINE_LINUX_DEFAULT' \ + 'apparmor=1 security=apparmor"' \ + > /etc/default/grub.d/apparmor.cfg + update-grub && reboot + + aa-enabled && sudo aa-status +#+END_SRC + +* Apparmor and Kopano +** Security Precautions in Kopano + +- Services run as user kopano nowadays +- Built with hardening support (in Debian) + +- But all services run as the _same_ user + +** Why is MAC useful + +- Webapp listens on the internet +- Z-Push listens on the internet +- e.g. kopano-dagent and kopano-search process untrusted input +- ... + +** Restricting the MariaDB/Mysql I +*** Add and activate the profile + +#+BEGIN_SRC sh +wget 'https://raw.githubusercontent.com/MariaDB/' \ + 'server/10.2/' \ + 'support-files/policy/apparmor/usr.sbin.mysqld' +touch /etc/apparmor.d/local/usr.sbin.mysqld +apparmor_parser -a /etc/apparmor.d/usr.sbin.mysqld +#+END_SRC + +Needs current git version + +*** Output +#+BEGIN_EXAMPLE +1 processes are unconfined but have a profile defined. + /usr/sbin/mysqld (592) +#+END_EXAMPLE + +** Restricting the MariaDB/Mysql II +*** Restart the service +#+BEGIN_SRC sh +/etc/init.d/mysql restart +#+END_SRC + +*** Output +#+BEGIN_EXAMPLE +1 processes are in complain mode. + /usr/sbin/mysqld (2461) +#+END_EXAMPLE + +** Restricting the MariaDB/Mysql III +*** Enforce the policy +#+BEGIN_SRC sh +aa-enforce /usr/sbin/mysqld +#+END_SRC + +*** Output +#+BEGIN_EXAMPLE +1 processes are in enforce mode. + /usr/sbin/mysqld (2461) +#+END_EXAMPLE + +** Restricting kapano-server +- new profile created from scratch +*** Add the apparmor policy +#+BEGIN_SRC sh + cd /etc/apparmor.d + cp profiles/usr.sbin.kopano-server . + touch local/usr.sbin.kopano-server + apparmor_parser -a usr.sbin.kopano-server + systemctl restart kopano-server +#+END_SRC + +** Restricting kopano-dagent + +*** kopano-dagent +- Reads untrusted network traffic +- Similar to the server but far less permissions +- New profile created from scratch + +*** Add the apparmor policy +#+BEGIN_SRC sh + cp profiles/usr.sbin.kopano-dagent /etc/apparmor.d/ + touch /etc/apparmor.d/local/usr.sbin.kopano-dagent + apparmor_parser -a /etc/apparmor.d/usr.sbin.kopano-dagent +#+END_SRC + +** Restricting kopano-search +- Indexes untrusted data +- Basic profile +*** Kopano Search + +#+BEGIN_SRC +touch local/usr.sbin.kopano-search +cp profiles/usr/sbin.kopano-search /etc/apparmor.d +apparmor_parser -a /etc/apparmor.d/usr.sbin.kopano-search +#+END_SRC + +** TODO Other core services and helpers + +kopano-archiver, kopano-backup, kopano-gateway, kopano-ical, +kopnao-monitor, kopano-spooler + +** Restricting Webapp (Apache) +*** Restricting Apache itself + +#+BEGIN_SRC sh +apt-get install libapache2-mod-apparmor +rm /etc/apparmor.d/disable/usr.sbin.apache2 +apparmor_parser -r /etc/apparmor.d/usr.sbin.apache2 +aa-status +#+END_SRC + +** Restricting Webapp (Webapp) +- New profile created from scratch +- Add AAHatName to /etc/kopano/apache2.conf +- Enable profile +*** Restricting Webapp +#+BEGIN_SRC sh + cp profiles/kopano-webapp /etc/apparmor.d/apache2.d/ + apparmor_parser -r /etc/apparmor.d/usr.sbin.apache2 + a2enmod apparmor + systemctl restart apache2 +#+END_SRC + +** TODO Other Kopano Components + +- +Z-Push+ +- +Deskapp+ + (but see http://bugs.debian.org/742829 for chromium) +- +Mattermost+ + +** How you can help + +See above + +** Upstreaming Status +- [-] mariadb profile fixes + - [X] https://github.com/MariaDB/server/pull/447 + - [ ] https://bugs.debian.org/875890 +- [ ] apache2 profile fixes + - [ ] https://code.launchpad.net/~intrigeri/apparmor/apache2-attach_disconnected/+merge/331065 + - [ ] http://bugs.debian.org/875892 +- [-] kopanocore profiles + - [ ] Upstream https://github.com/Kopano-mirror/kopano-core/pull/1 + - [X] Debian Package +- [X] kopano-webapp profile + - [ ] Upstream not yet submitted + - [X] Debian: Pushed to git +- [ ] dh-apparmor + - Support /etc/apparmor.d/apache/: http://bugs.debian.org/876647 + +* Appendix :B_appendix: + :PROPERTIES: + :BEAMER_env: appendix + :END: + +** Thanks + +- Send profile updates to +- Questions? + +** Links +- http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference + +** Status of Kopano in Debian + +- kopanocore 8.3.4 is in Buster/testing +- z-push 2.3.8 is in experimental +- Webapp 3.3.1 in waiting in new + +# Local Variables: +# org-src-preserve-indentation: t +# End: diff --git a/talk.pdf b/talk.pdf new file mode 100644 index 0000000..7f914ac Binary files /dev/null and b/talk.pdf differ -- cgit v1.2.3