Comments (2)
Some IRC chat about it from #juju@freenode:
20:41 < arosales> Policy states, "Should make use of AppArmor to increase security."
20:41 < arosales> https://jujucharms.com/docs/authors-charm-policy
20:41 < arosales> But we don't make any references to how this can be accomplished in the charm, and we unfortunately don't have any good examples.
20:42 < arosales> I am a +1 for security, but how do we enforce this or if a user says, "Great how do I do this" what is the answer?
20:42 * arosales ends question
20:43 < sarnold> hey arosales :) there's a handful of policies in /etc/apparmor.d/ on most ubuntu systems that can serve as a too-quick introduction to apparmor
20:44 < arosales> sarnold: hello :-)
20:44 < sarnold> arosales: jdstrand has a series of short-and-sweet blog posts about apparmor that are a decent enough introduction, too, https://penguindroppings.wordpress.com/2014/06/06/application-isolation-with-apparmor-part-iv/
20:44 < arosales> Perhaps the right answer here is to reach out to the ubuntu security team and formulate some examples in the docs
20:45 < sarnold> arosales: one thing that I'd love to see in juju charms is making use of the relation information to help create flexible policies
20:45 < mbruzek> arosales: This policy predates me, but I have not seen a charm using apparmor. I suspect someone knows how to do that
20:45 < arosales> sarnold: do you feel this is handled inside the app, or are there extra measure the charm should be taking?
20:45 < sarnold> arosales: it depends; e.g., installing mysql from the archive will automatically get the packaged apparmor policies installed
20:46 < mbruzek> good point sarnold
20:46 < arosales> good point, but others may not . . .
20:46 < sarnold> arosales: but if you're creating a charm for software that doesn't already supply its own policy, you could bundle it alongside the charm, drop it into /etc/apparmor.d/, and .. waves hands about making sure it's loaded
before the service is started
20:47 < sarnold> arosales: one complicating factor is that apparmor policies currently can't be nested; the local provider uses LXC, which uses apparmor to enforce some of its policies. so, local deployed charms wouldn't be able to use
their own policy. (this is being addressed but probably won't be ready for many months.)
20:49 < sarnold> arosales: jdstrand and sbeattie also put together an apparmor "policy template" language, apparmor-easyprof, that might be a suitable starting place for charm authors to smack out some quick template-based policies --
which might be useful for tuning them based on configurations
20:49 < arosales> interesting re lxc, didn't think of that
20:50 < sarnold> I think the mysql init stuff may have mechanisms in place to cope, I haven't looked in ages.
20:50 < arosales> sarnold: do you have a link to the "policy template" lauguage?
20:51 < arosales> sarnold: do you know of any issues with xen or kvm in app armour policies?
20:51 < sarnold> arosales: hrm, I'm having trouble finding links to apparmor-easyprof examples; it's used a bit with snap / click packaging but those tools aren't exactly easy to learn from
20:52 < lazyPower> arosales: i agree that we need to get documentation around this or link to the proper docs in our charming series docs
20:52 < sarnold> arosales: xen / kvm should work just fine; libvirtd does have apparmor policies confining portions of the systems (e.g. shared host/guest filesystems sometimes have trouble, and need extended policies) -- but the
kvm-emulated machine or xen-emulated machine get their own apparmor policies no trouble
20:52 < lazyPower> arosales: what may be a good starting poitn would be to get a charm school video about security enhnacement with apparmor profiles on a simple charm - like pick the day1 charm and put in some nginx app armor policies
20:53 < lazyPower> however app armor itself is a beast of a topic and goes into a broad range of things as sarnold has pointed out
20:54 < arosales> lazyPower: ya I think at a min we need some docs to point users on how to accomplish this
20:55 < lazyPower> arosales: i have a marching order over this next week to get some visualizations done for my slides / video over charm relationships - i can add an addendum to that for app armor as a follow up task.
20:55 < arosales> sarnold: thanks for the input here, much appreciated
20:55 < sarnold> the policies are easy enough; the hard part is tying them together to handle e.g. running under lxc, getting them loaded before programs start, etc..
20:56 < lazyPower> i've ran into some really good articles that we - being juju charmers, are not warehousing, but i can distill that info into a digestible doc for starting out with app armor and link to the app armor community documentation which goes into further depth how to write them
20:56 < arosales> lazyPower: if you have some time to start some docs on apparmor that wold be helpful
from docs.
The new link for this issue is: https://jujucharms.com/docs/2.2/authors-charm-policy
The explanation of how to use AppArmor is still vague, and could use some clarification.
from docs.
Related Issues (20)
- Add tutorial: Understanding multi-cloud controllers
- Redirect loop in docs HOT 3
- Add tutorial: Kubernetes storage configuration HOT 1
- [2.6] Add command `show-application` HOT 1
- [Kubernetes workflow] Not clear at all how to add k8s cloud to Juju HOT 1
- Cross model relations scenario 2 is out of date HOT 1
- Documentation for Proxy Configuration Could Use More Detail HOT 7
- No way to jump between doc versions HOT 4
- Juju docs missing heading anchors HOT 3
- "getting started with juju" link forwards to 404 HOT 1
- document what happens with upgrade-charm when default charm config changes HOT 1
- juju bootstrap --help points to nonexistent docs for controller and model config HOT 1
- Broken link to commands reference HOT 2
- Missing 'debug-code' command
- model upgrades only increment 1 major version at a time
- Windows install instructions are inconsistent
- Broken links in "working offline" section in JUJU docs on both jaas.ai and juju.is sites. HOT 1
- LXD Guide improvement suggestions
- using-lxd-clustering-with-juju: dead link HOT 1
- Inconsistency in Exception Handling between Juju SDK Charms Documentation and Repository
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from docs.