1 IRC_meeting_2024 04 09

John Johansen edited this page 2024-04-09 18:39:22 +00:00

(11:00:49 AM) jjohansen: cboltz-mobile, sarnold, sbeattie, georgiag, anyone else who is interested meeting time.
(11:00:59 AM) jjohansen: iskunk: yes
(11:01:08 AM) iskunk: thanks
(11:01:11 AM) ***georgiag waves
(11:01:59 AM) jjohansen: so we don't have any really agenda
(11:02:24 AM) jjohansen: So first up AppArmor 4
(11:03:11 AM) jjohansen: Beta4 dropped on Sunday, we currently know of a couple of issues that we would like to fix before final release
(11:03:29 AM) jjohansen: current plan is to drop the final release within the next week
(11:04:30 AM) jjohansen: I expect the announcement to come out next week, probably Sunday
(11:04:48 AM) jjohansen: next release is planned for the fall
(11:05:43 AM) jjohansen: AppArmor 4.1 or maybe 5, depending on if we manage to land some stuff that will make large changes to policy possible or if it just ends up being smaller revisions on 4.0
(11:06:08 AM) jjohansen: alphas should start in may
(11:06:56 AM) jjohansen: upstream kernel, we missed the 6.9 merge window and have a backlog of patches waiting on review
(11:07:13 AM) jjohansen: the goal is to clear those out by the end of next week
(11:08:02 AM) jjohansen: and also get the revised unix/inet patches posted for RFC
(11:08:58 AM) jjohansen: feedback, especially on policy language around networking more than welcome
(11:09:59 AM) jjohansen: for Ubuntu/debian users the packages in the apparmor-dev/apparmor-devel ppa offer a pre-built kernel and userspace
(11:10:04 AM) jjohansen: for testing
(11:11:00 AM) jjohansen: next week, me and georgia will be at Linux Security Summit if anyone else happens to make it
(11:11:25 AM) jjohansen: or wants to follow what is going on there with the Linux foundations live stream
(11:11:34 AM) jjohansen: that covers basic status
(11:11:52 AM) jjohansen: does anyone have anything else they want to discuss?
(11:13:30 AM) iskunk: I just wanted to inquire if you/someone had a chance to review the MRs for the new Xorg and transmission profiles
(11:14:53 AM) jjohansen: iskunk: I have glanced at them, but need more to spend more time on them
(11:15:37 AM) iskunk: Understood, please let me know if you have any questions. Would like to address any issues, and see those in eventually
(11:16:41 AM) jjohansen: iskunk so, it looks to me that you addressed cboltz's questions for the transmission profile. I will give it a look today
(11:17:27 AM) iskunk: Ah yes, it's just a slightly unusual approach (multiple profiles in a file), IIRC the totem profile does something similar
(11:18:03 AM) jjohansen: I will take another look at the xorg profile, that one gives me pause. In that it could break peoples systems
(11:18:38 AM) jjohansen: so it is something that at least in current releases would have to go into profiles/extra that is disabled by default atm
(11:19:04 AM) iskunk: Yes, I left the complain flag set on that one. It needs more testing, e.g. on nvidia systems with the proprietary driver, etc.
(11:19:24 AM) jjohansen: we do want xorg confined
(11:19:51 AM) iskunk: Exactly. It may be passe, but e.g. Xubuntu still uses it (and I use Xubuntu, so...)
(11:20:06 AM) jjohansen: overall, we do plan to ramp up profile integration work in the next six months
(11:21:01 AM) jjohansen: I think we need to land a few feature before we can really start integrated the apparmor.d projects profiles, and being more distro agnostic
(11:21:12 AM) jjohansen: basically we need better conditionals
(11:21:15 AM) jjohansen: gah
(11:21:41 AM) iskunk: The AppArmor.d (project) stuff looks good, they've done good work. I just hope it won't be 1500+ files in a single directory. And better conditionals = yes please
(11:21:53 AM) jjohansen: we need
(11:21:53 AM) jjohansen: - better conditionals
(11:21:53 AM) jjohansen: - the parser to export certain support conditionals to policy for conditionals to use
(11:21:53 AM) jjohansen: - object delegation
(11:22:26 AM) jjohansen: all of those are unfortunately side projects atm, so we will see what we can land
(11:23:02 AM) jjohansen: yeah profile layout needs to improve, and the abstractions need to improve
(11:23:52 AM) jjohansen: if you have suggestions for policy layout I am very interested because like you said 1500+ profiles in a single directory is ugly (at best)
(11:24:34 AM) jjohansen: actually that is a discussion we really need to have with cboltz around, since it will heavily affect the tooling
(11:24:59 AM) jjohansen: and potentially the caching
(11:25:06 AM) iskunk: I mean, the AppArmor.d folks have a hierarchy... being able to make use of that would be good. Was discussing it with cboltz, in fact. The current layout, with everything and kitchen sink in /etc/apparmor.d, makes things difficult
(11:25:22 AM) jjohansen: yes
(11:25:57 AM) jjohansen: and yes we assumed there would be a hierarchy its a matter of what that looks like
(11:27:18 AM) jjohansen: do we want a master dir, and then human traversable hierarchy that uses symlinks ...
(11:28:01 AM) iskunk: Would *not* want to see something like the /etc/ssl/certs mess
(11:28:01 AM) jjohansen: because some times trees/categories also suck for search
(11:28:20 AM) iskunk: I mean, we have find and grep -r ...
(11:28:26 AM) jjohansen: true
(11:30:13 AM) jjohansen: do we have anything else to discuss?
(11:31:03 AM) jjohansen: I am going to add policy layout to the agenda for next meeting, give us some time to put together a proposal
(11:31:21 AM) jjohansen: cboltz-mobile: ^ I know you will have something to say
(11:32:56 AM) cboltz-mobile: yes, when I'm back at a real keyboard ;-)
(11:33:20 AM) jjohansen: yep, just wanted to make sure you would get a highlight
(11:34:49 AM) jjohansen: alright, the Canonical people will be traveling next month and not available for a meeting so lets skip the May meeting
(11:35:21 AM) jjohansen: the next meeting will is tentatively Tuesday June 11 @18:00 utc
(11:35:37 AM) jjohansen: meeting adjourned
(11:35:37 AM) jjohansen: thanks everyone