Enable AppArmor

[gangaram-tii]

Description of changes

• Enabled AppArmor
• AppArmor profiles for Chromium and Firefox
• AppArmor enabled in chromium-vm along with Chromium profile

Checklist for things done

• Summary of the proposed changes in the PR description
• More detailed description in the commit message(s)
• Commits are squashed into relevant entities - avoid a lot of minimal dev time commits in the PR
• Contribution guidelines followed
• Ghaf documentation updated with the commit - https://tiiuae.github.io/ghaf/
• PR linked to architecture documentation and requirement(s) (ticket id)
• Test procedure described (or includes tests). Select one or more:
  • Tested on Lenovo X1 x86_64
  • Tested on Jetson Orin NX or AGX aarch64
  • Tested on Polarfire riscv64
• [] Author has run nix flake check --accept-flake-config and it passes
• All automatic Github Action checks pass - see actions
• Author has added reviewers and removed PR draft status

Testing

Verify if chromium profile is active inside chromium-vm.
$> sudo aa-status

Do audio and video recording/playback, Google spread sheet editing using Chromium browser.

A brief documentation and test report are available in confluence.

https://ssrc.atlassian.net/wiki/spaces/GA/pages/1187708968/Security#1.-AppArmor%3A

[brianmcgillion]

The Chrome settings should also be applied to the business VM where it is also running Chrome.

[mbssrc]

Hey, many thanks for the PR.

It would be great to add the following information to the documentation:

• Profile creation: Base profile(s) used, adjustments and reasoning
• Test information: How did we verify the profiles functionally, and what security testing/analysis did we perform?
  E.g., do we have a list of recent chromium CVEs and a potential analysis of how the confinement measures may have mitigated the impact? This would be a great motivation for using the profiles.
• Performance impact: Thanks for the figures provided. It's however not entirely clear to me how we ended up with the conclusion.
  Can we add a final table with the testing results, with clear indicator of performance impact of the test case such as "video streaming: ~5-10% overhead during initial load, ~1% during execution, etc."
  Also, it would be helpful to describe the test methodology and tools used, so one can verify the results.

[gangaram-tii]

The Chrome settings should also be applied to the business VM where it is also running Chrome.

Done.

[gangaram-tii]

Rebased to latest main.

[gangaram-tii]

Hey, many thanks for the PR.

It would be great to add the following information to the documentation:

* Profile creation: Base profile(s) used, adjustments and reasoning

Updated the page on Confluence.

* Test information: How did we verify the profiles functionally, and what security testing/analysis did we perform?
  E.g., do we have a list of recent chromium CVEs and a potential analysis of how the confinement measures may have mitigated the impact? This would be a great motivation for using the profiles.

We did testing to verify if the rules in profile are behaving as per our expectation. Security analysis report is available here.

* Performance impact: Thanks for the figures provided. It's however not entirely clear to me how we ended up with the conclusion.
  Can we add a final table with the testing results, with clear indicator of performance impact of the test case such as "video streaming: ~5-10% overhead during initial load, ~1% during execution, etc."
  Also, it would be helpful to describe the test methodology and tools used, so one can verify the results.

Updated the test report and created a conclusion table.
Will upload scripts I used to take performance data.

[Mic92]

Upstream fixes has been merged.

[barnabakos]

2 commits up to: b07c0cf
rebased to current tip of Ghaf main without conflicts: 5d5ae6d

platform: Lenovo X1 Carbon; flash script; USB SSD

• ci-test-automation suite: ok
• starting apps: ok
• regression / ad-hoc testing: ok

works:

• AppArmor profile is active inside chromium-vm & business-vm
• audio and video recording/playback

notes:

• N/A

issues:

• cannot save files to "Unsafe share" from Chromium and Trusted Browser