-
Notifications
You must be signed in to change notification settings - Fork 58
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable AppArmor #714
base: main
Are you sure you want to change the base?
Enable AppArmor #714
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The Chrome settings should also be applied to the business VM where it is also running Chrome.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey, many thanks for the PR.
It would be great to add the following information to the documentation:
- Profile creation: Base profile(s) used, adjustments and reasoning
- Test information: How did we verify the profiles functionally, and what security testing/analysis did we perform?
E.g., do we have a list of recent chromium CVEs and a potential analysis of how the confinement measures may have mitigated the impact? This would be a great motivation for using the profiles. - Performance impact: Thanks for the figures provided. It's however not entirely clear to me how we ended up with the conclusion.
Can we add a final table with the testing results, with clear indicator of performance impact of the test case such as "video streaming: ~5-10% overhead during initial load, ~1% during execution, etc."
Also, it would be helpful to describe the test methodology and tools used, so one can verify the results.
75f5cda
to
e6da78f
Compare
e6da78f
to
eb81872
Compare
Done. |
Rebased to latest main. |
|
eb81872
to
ff75b4c
Compare
ff75b4c
to
0203473
Compare
0203473
to
addb7b9
Compare
addb7b9
to
636d124
Compare
Upstream fixes has been merged. |
636d124
to
7a4b28f
Compare
7a4b28f
to
c458e46
Compare
c458e46
to
0dc4cfe
Compare
0dc4cfe
to
4a0eb02
Compare
4a0eb02
to
a4e7461
Compare
a4e7461
to
7a4b28f
Compare
7a4b28f
to
d5cd139
Compare
d5cd139
to
b9c6cb2
Compare
- options to enable Apparmor security - profile for Chromium and Firefox Signed-off-by: Ganga Ram <[email protected]>
b9c6cb2
to
70ef38f
Compare
- Chromium-vm - Business-vm Signed-off-by: Ganga Ram <[email protected]>
70ef38f
to
b07c0cf
Compare
2 commits up to: b07c0cf platform: Lenovo X1 Carbon; flash script; USB SSD
works:
notes:
issues: |
Description of changes
Checklist for things done
x86_64
aarch64
riscv64
nix flake check --accept-flake-config
and it passesTesting
Verify if chromium profile is active inside chromium-vm.
$> sudo aa-status
Do audio and video recording/playback, Google spread sheet editing using Chromium browser.
A brief documentation and test report are available in confluence.
https://ssrc.atlassian.net/wiki/spaces/GA/pages/1187708968/Security#1.-AppArmor%3A