From Developer Community
AppArmor Development Roadmap
This page describes the direction and future of the Apparmor project.
Over Arching Goals
- Linux Kernel Acceptance
- Community Driven
- Improved Developer Base
- Improved Policy Management and Packaging
- Improved Administrator Experience
- Enhanced Mediation
Linux Kernel Acceptance
Upstream of the AppArmor kernel patches will proceed as the top priority. To speed its development, only the bare minimum tool set will be updated until the patch set is stabilized. The AppArmor project will be
reorganized into several branches:
- deprecated branches - pre apparmor 2.0.1
- stable version full tool support
* SUSE version
* Ubuntu version
* Mandriva version
- upstream development version minimum tool support
- experimental branch - closely track upstream branch but containing features not ready for mainline.
Community Driven
Historically, the AppArmor project has been driven by a core team from first Immunix and later Novell. A wider community developer base is desired.
- set release cycle
- community input on features and directions
- easier integration into none suse distros
Improved Developer Base
Extract base features into libraries and make it easier to develop, extend and maintain tools.
- libapparmor base library
- libaa_policy parsing and policy manipulation library
- refactored init scripts
- base command line utils and scripts
- package management macros
* rpm
* dpkg
Improved Policy Management and Packaging
- init scripts
- profile repository
- standardized
* policy layout
* enable/disable profiles
* detect local changes to profiles
* packaging tools and macros to handle profile installation
- better use/integration into the tools of profile variables
* standardized set variables - GUI config / policy authoring
* turn policy chunks on/off by setting a variable
- better abstractions
- mythical merge tool (2 and 3 way merging)
- profile analysis and lint tool
- apparmor/selinux policy conversion tool to aid policy author in porting policy changes
Improved Admin Experience
It's desired to improve the AppArmor adminstrator's experience through interaction, feedback, and tools.
- real time event dispatch
- user applets
* display/acknowledge rejects launch profiling tools
- better introspection of loaded policy and event info
- GUI and command line tools
* improved command line ncurses, ...
* improved YaST UI
* non YaST UI
* gnome, gtk, kde, wxwdigets, ...?
- plug-ins/integration with security managers/centers
- LIMAL/CIM providers
- User generated/controlled policy**
Enhanced Mediation
- improvements to policy language
* permission first file rules rules
* improved path expressions
* deny rules (track what was denied during policy authoring)
* audit tag
- generalized transition model
- leverage stored attributes for mediation
* DAC (U:G:O) style perms?
* owner flag?
* acl flag to set ownership assertion?
- ipc
- fine grained network mediation
- containerization (profile namespaces)
* vservers
* roles
* user confinement
* pam change_profile
- option of early policy load, total confinement
* init ramfs
* control of namespace (mount rules, ...)
