AppArmor profile for upstream ejabberd

[antisocrates]

Is your feature request related to a problem? Please describe.
The upstream packages (.deb specifically) lack an AppArmor profile, also the one that comes with the package from debian repositories is outdated and doesn't work.

Describe the solution you'd like
An ejabberd profile for AppArmor to be given with the official package, to be enabled optionally by users.

Describe alternatives you've considered
A link inside the documentation pointing to an up-to-date profile for ejabberd.

Additional context

I have created an up-to-date ejabberd profile for AppArmor based on the one offered with the debian repository package, which works in all features i have tried (upload, omemo encryption, sql database access, audio/video call, registration etc).
The tests have been done on Debian Buster 10, with ejabberd 20.04
ejabberdctl.txt

[Neustradamus]

@debalance: ^

[antisocrates]

Also to clarify this is for the upstream .deb package in proccessone website download section, that installs files in /opt .
The debian repository package, moves things around so changes would be needed.

[weiss]

Thanks for your work on this.

However, I'm not sure it's a good idea to include this upstream:

• Will this work with each and every AppArmor version around?
• Who will take care of applying and testing the necessary modifications when relevant things in ejabberd (and/or AppArmor) change?

[antisocrates]

Great questions weiss.

As i see it the options could be:

• Include an apparmor profile only on certain versions (known to be working well, sort of lts release), in which case i can aid testing the profile, since i already use the upstream package from processone and use an apparmor profile (i can test that with the latest stable apparmor each time)
• Include a repository of profiles (each for each version we have tested) not inside the upstream package, but somewhere (maybe a git repository) that is linked inside the documentation (so people can find it) under the "securing ejabberd" article. There we can also offer instruction on how to fine-tune apparmor for more specific scenarios.

[darix]

This apparmor profile could see a lot of improvements (like not munching everything together with ix)
that would give the beam.smp process in the end things to execute and you want to avoid that.

[antisocrates]

This apparmor profile could see a lot of improvements (like not munching everything together with ix)
that would give the beam.smp process in the end things to execute and you want to avoid that.

The profile is based on the debian team one, with adjustments to make it work:
Salsa Debian Ejabberd

Also if you have specific ideas on improvements besides this line /usr/lib/erlang/erts-*/bin/beam* ix, feel free to point them out, i am sure the profile will be handy for people looking for one, even if its not included in upstream.