bisq icon indicating copy to clipboard operation
bisq copied to clipboard

Published 20 hours ago verified publisher icon bisq-network

Provide AppArmor profile

Open komachi opened this issue 5 years ago • 7 comments

I drafted an AppArmor profile for Bisq https://github.com/komachi/apparmor-even-more-profiles/blob/master/profiles/opt.Bisq.Bisq

It works for me on debian stable. I propose shipping an AppArmor profile (you can take mine) as part of deb and rpm packages. This is greatly reduce effect of possible vulnerabilities at nearly no cost other than maintaining this profile. Only users with AppArmor enabled will benefit from this, but that's a lot, given that Ubuntu, Debian and others has it enabled by default.

komachi avatar Jun 09 '20 14:06 komachi

Thanks for opening your first issue here!

Be sure to follow the issue template. Your issue will be reviewed by a maintainer and labeled for further action.

boring-cyborg[bot] avatar Jun 09 '20 14:06 boring-cyborg[bot]

Hi @komachi , I too use my own Bisq profile on Debian Sid: https://gist.github.com/Talkless/261218250f45f125f8ac541e714ffcce

Not sure though where should it be versioned. I've got qTox [0] profile incorporated into project itself, but it's rather hard to get reviews, as there's not much who knows AppArmor apparently.

Alternative is apparmor-profiles [1] repository, where we could get AppArmor developers into reviews, but that repository versions profiles based on Ubuntu (like 19.10, 20.04) versions... There's some refactoring is planned for that repo but not sure when it will be done. Also, storing profile separately from Bisq sources could make packaging more complicated..? Though Thunderbird Debian package just regularly fetch AppArmor profile from apparmor-profiles and ship in Debian [2].

[0] https://github.com/qTox/qTox/tree/master/security/apparmor [1] https://gitlab.com/apparmor/apparmor-profiles [2] https://salsa.debian.org/mozilla-team/thunderbird/-/tree/debian/sid/debian/apparmor

Talkless avatar Jun 15 '20 16:06 Talkless

AppArmor profiles better to be provided by upstream.

apparmor-profiles meant to fill the gap until every package get upsteam profile/until profile is mature enough to be included at least in distribution package. Also Bisq is not packaged by Ubuntu nor by Debian, so it would be strange to maintain profile in apparmor-profiles.

komachi avatar Jun 15 '20 17:06 komachi

@komachi Not all profiles in apparmor-profiles repository goes into apparmor-profiles package for (in Debian). As I gave example, Thunderbird maintainer ships profile from apparmor-profiles upstream repository inside thunderbird package. He syncs file time to time into debian dir before releasing new Thunderbird package.

Though I agree that it's kinda inconvenient that Bisq developers would have to fetch profile from other repo, though relying on Bisq developers/contributors on reviewing AppArmor profiles might be naive/optimistic too... Though we can try of course.

Talkless avatar Jun 27 '20 11:06 Talkless

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Sep 26 '20 10:09 stale[bot]

Ping. Still relevant, just need to find time to actually introduce AppArmor profile.

Talkless avatar Sep 27 '20 10:09 Talkless

How many would run a 300+ MB binary not providing an Apparmor. It should be part of the .deb, it's as simple as that.

drzraf avatar Sep 12 '24 17:09 drzraf