[pkg-apparmor] [apparmor] RFC: draft proposal for enabling AppArmor by default in Debian

intrigeri intrigeri at debian.org
Thu Aug 3 22:46:05 UTC 2017 

Hi!

Jamie Strandboge:
> I read the entire draft. It reads well and covers a lot.

:)

> I did want to mention
> that it may be worth pointing out that because of AppArmor upstream's efforts to
> push up the entire Ubuntu delta to the upstream kernel, Buster's kernel will
> hopefully/likely have everything and no out-of-tree patches. Many, many patches
> have already gone up and been accepted, with more already submitted/under review
> with a final batch being prepared.

Indeed, so I've added "and Buster's kernel will support tons of new
AppArmor mediation types compared to Stretch".

(The value Debian gets out the upstreaming of the Ubuntu delta is more
features, not reducing our delta: Stretch's kernel has no out-of-tree
AppArmor patch.)

If I got your suggestion wrong, please let me know.

> I might also mention that the while the major LSM stacking work has been slow,
> it has picked up recently and there is a lot of interest to have, say, AppArmor
> and SELinux stackable or AppArmor and SMACK stackable. We aren't there yet of
> course, but since you mentioned stacking, I thought I'd point this out.

Good idea, done (shamelessly stealing your wording, I'll credit all
reviewers and contributors to the text when I'll send it to
debian-devel at .)

> As someone who has dealt with a lot of AppArmor policy in Ubuntu, I can say that
> you are right on many counts: having it enabled by default will reveal issues
> sooner than later and people tend to not turn off AppArmor. The AppArmor project
> (and I'll speak for Ubuntu too) are very concerned about usability and not
> breaking people so you can be sure we'll continue to want to collaborate on
> policy […]
> Finally, I'll point out that for the Debian packages that
> carry AppArmor profiles, these are the profiles in use in Ubuntu and have been
> in use by millions of Ubuntu installs, so they are relatively proven in that
> regard (not claiming there won't be any bugs of course :).

All this counted a lot when I picked AppArmor years ago :)

Cheers,
-- 
intrigeri

More information about the pkg-apparmor-team mailing list