[pkg-apparmor] [apparmor] RFC: draft proposal for enabling AppArmor by default in Debian

Christian Boltz apparmor at cboltz.de
Thu Aug 3 22:04:09 UTC 2017


Hello,

your mail looks great, and I have only a few small comments:

Am Donnerstag, 3. August 2017, 23:20:20 CEST schrieb intrigeri:
> AppArmor confines programs according to a set of rules that specify
> what operations a given program can access, e.g. it can prevent your
> PDF reader and video player from accessing your GnuPG secrets keys and

... secret__ keys ...

...
> A proposal
> ==========
...
>    Note that the best way to address them quickly enough is sometimes
>    to simply disable the problematic AppArmor profile: it's cheap,
>    doesn't require advanced AppArmor skills, and IMO a smaller
>    AppArmor policy enabled by default is more useful than a broader
>    but less robust one that only a couple thousand users benefit from.

I understand why you wrote this, but I'd still prefer to recommend 
aa-complain + collecting logs here ;-)

...
> What's the history of AppArmor in Debian?
> -----------------------------------------
> 
> AppArmor has been available (opt-in) in Debian since 2011. In 2014
> a Debian AppArmor packaging team was created, that has been taking
> care of the AppArmor packages and policy since then.
> 
> In the last 3 years the AppArmor policy shipped in Debian was extended
> substantially and its coverage is now on par with Ubuntu's. It's
> still rather small due to the strategy we chose: we wanted to avoid
> traumatizing early adopters and to avoid creating a culture of
> "AppArmor always breaks stuff, let's get used to disabling it". So
> like Ubuntu, we're shipping a rather small and mature AppArmor

I apply the same strategy to openSUSE, so feel free to change this to    
    ... like Ubuntu _and openSUSE_, we're shipping ...
;-)


Enjoy DebCamp and DebConf, and good luck in getting AppArmor enabled by 
default!


Regards,

Christian Boltz
-- 
you are expected to know what you're doing (e.g. you're a test script).
[Steve Beattie in apparmor]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-apparmor-team/attachments/20170804/013bb099/attachment.sig>


More information about the pkg-apparmor-team mailing list