Generating AppArmor profiles for Tor and Apache¶
vagrant up /staging$/ vagrant ssh app-staging sudo su cd /var/www/securedrop
Run tests, use the application web interface, restart services,
reboot the VMs via
vagrant reload /staging/. The goal is to
create as much interaction with the system as possible, in order
to establish an expected baseline of behavior. Then run:
Follow the prompts on screen and save the new configuration. Then set the profile to complain mode:
Rinse and repeat, again running
aa-logprof to update the profile.
The AppArmor profiles are saved in
/etc/apparmor.d/. There are two
aa-logprof you will need to copy the modified profile back to
your host machine to include them in the
ansible -i .vagrant/provisioners/ansible/inventory/vagrant_ansible_inventory app-prod -m fetch -a 'flat=yes dest=install_files/ansible-base/ src=/etc/apparmor.d/usr.sbin.apache2' ansible -i .vagrant/provisioners/ansible/inventory/vagrant_ansible_inventory app-prod -m fetch -a 'flat=yes dest=install_files/ansible-base/ src=/etc/apparmor.d/usr.sbin.tor'
The AppArmor profiles are packaged with the
postinst puts the AppArmor profiles in enforce mode
on production hosts. In the staging environment, the
app-test Ansible role
puts the AppArmor profiles in complain mode, to faciliate the development workflow
aa-logprof outlined above.