Page MenuHomePhabricator

containment for Citoid
Closed, ResolvedPublic

Description

We should get citoid an apparmor manifest as we have done for OCG. It will increase the overall security of the service and confine it.

Event Timeline

akosiaris claimed this task.
akosiaris raised the priority of this task from to Medium.
akosiaris updated the task description. (Show Details)
akosiaris added projects: acl*sre-team, Services.

Many of the interesting bits of AppArmor have not been merged upstream (e.g. network confinement) and newer versions of AppArmor don't even make it upstream anymore. Thus, with the switch to Debian, we kind of lost the capability of sanely using AppArmor (this was well documented in advance).

I don't think it makes much sense to waste time for that now. We should instead invest into some of the systemd confinement features that are here to stay.

akosiaris renamed this task from apparmor for citoid to containment for Citoid.EditedJun 19 2015, 1:34 PM
akosiaris reassigned this task from akosiaris to MoritzMuehlenhoff.
akosiaris set Security to None.
akosiaris added a subscriber: akosiaris.

Reassigning to moritz who already works on an approach based on firejail. Also changing the subject reference from "apparmor" to the more generic "containmnent"

Change 219811 had a related patch set uploaded (by Muehlenhoff):
Enable firejail for citoid

https://gerrit.wikimedia.org/r/219811

Change 219811 merged by Alexandros Kosiaris:
Enable firejail for citoid

https://gerrit.wikimedia.org/r/219811

This is now enabled in production.