Get AppArmor support into postmarketOS
Roughly listing out past and next steps for apparmor integration. This will change, depending on how Alpine wants to have it integrated upstream.
-
research how it could be implemented -
create proof of concept repository with two example profiles (gnome-calculator, postmarketos-welcome-gtk3): postmarketos-apparmor-profiles -
kick off discussion with alpine: ML post -
create wiki page: https://wiki.postmarketos.org/wiki/AppArmor -
pmbootstrap kconfig check changes (pmbootstrap!2133 (merged)) -
initial version in pmaports (!2624 (closed)) -
enable by default in postmarketos-base-ui -
enable this for all devices in main and community -
make it a requirement for future devices in main and community -
add CI check in postmarketos-apparmor-profiles.git, that runs make check
to parse the profiles. The Makefile rule already works, however it seems that it can only run if the kernel has apparmor enabled? verify and possibly work around it with qemu or something to make it work in gitlab CI if needed. -
create profiles for CLI applications that handle untrusted input, some examples: -
BlueZ bluetooth daemon -
BlueZ obex daemon -
eg25-manager -
modemmanager -
networkmanager -
ntpd
-
-
figure out how to use xdg portals with gui applications contained with apparmor. with this we should be able to deny access to files in the home dir for example, and when an application wants to open a file (e.g. file upload dialog in firefox), the portal will cause a different process ("broker") with more access to show a dialog to the user, where they can select a file. then the broker will give access to only that file to the sandboxed application. -
create profiles for GUI applications -
all preinstalled apps for Phosh (postmarketos-apparmor-profiles#1) -
Sxmo -
Plasma Mobile
-
Edited by Oliver Smith