[pkg-apparmor] [apparmor] RFC: draft proposal for enabling AppArmor by default in Debian
Jamie Strandboge
jamie at canonical.com
Thu Aug 3 22:08:28 UTC 2017
On Thu, 2017-08-03 at 17:20 -0400, intrigeri wrote:
> Hi Debian AppArmor team, upstream AppArmor people, people who
> volunteered to review this text, a few maintainers of packages that
> include AppArmor policy, and some innocent bystanders!
>
> Please review the attached proposal. I will send it to debian-devel@
> tomorrow around 6pm (Montréal time) after taking your feedback
> into account.
>
> If you're at DebCamp, I guess that the process will be nicer both for
> you and me if you grab me in person whenever you want to read the
> draft and comment live.
>
> Thanks in advance :)
I read the entire draft. It reads well and covers a lot. I did want to mention
that it may be worth pointing out that because of AppArmor upstream's efforts to
push up the entire Ubuntu delta to the upstream kernel, Buster's kernel will
hopefully/likely have everything and no out-of-tree patches. Many, many patches
have already gone up and been accepted, with more already submitted/under review
with a final batch being prepared.
I might also mention that the while the major LSM stacking work has been slow,
it has picked up recently and there is a lot of interest to have, say, AppArmor
and SELinux stackable or AppArmor and SMACK stackable. We aren't there yet of
course, but since you mentioned stacking, I thought I'd point this out.
As someone who has dealt with a lot of AppArmor policy in Ubuntu, I can say that
you are right on many counts: having it enabled by default will reveal issues
sooner than later and people tend to not turn off AppArmor. The AppArmor project
(and I'll speak for Ubuntu too) are very concerned about usability and not
breaking people so you can be sure we'll continue to want to collaborate on
policy (you might also recall AppArmor has the apparmor.d/local concept for
site-local changes). Finally, I'll point out that for the Debian packages that
carry AppArmor profiles, these are the profiles in use in Ubuntu and have been
in use by millions of Ubuntu installs, so they are relatively proven in that
regard (not claiming there won't be any bugs of course :).
Thanks for taking this on!
--
Jamie Strandboge | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-apparmor-team/attachments/20170803/0d903fb3/attachment.sig>
More information about the pkg-apparmor-team
mailing list