[pkg-apparmor] RFC: draft proposal for enabling AppArmor by default in Debian

Guido Günther agx at sigxcpu.org
Fri Aug 4 13:25:23 UTC 2017 

Hi,
Awesome this is moving forward!

On Thu, Aug 03, 2017 at 05:20:20PM -0400, intrigeri wrote:
[..snip..]
> A proposal
> ==========
> 
> 1. Enable AppArmor by default in testing/sid as soon as feasible in
>    the Buster cycle.
> 
>    I can think of several possible ways to do it but for now I'd
>    rather focus on the "do we want to do it at all" conversation.

I read below that you don't want to go too much into the implementation
details but do you already have a plan how to do this (i.e. to pull in
apparmor on existing installations, will the grub package change the
kernel command line, will it only affect new installations?) Stating the
details somewhere (maybe on the wiki) might make things look more
concrete.

> 2. During a year, watch out for AppArmor related issues and address
>    them in a prompt manner.
> 
>    Note that the best way to address them quickly enough is sometimes
>    to simply disable the problematic AppArmor profile: it's cheap,
>    doesn't require advanced AppArmor skills, and IMO a smaller
>    AppArmor policy enabled by default is more useful than a broader
>    but less robust one that only a couple thousand users benefit from.
> 
> 3. A year after AppArmor was enabled by default: evaluate how it went
>    and decide if Buster should be shipped with AppArmor enabled by
>    default or not.
> 
>    I commit to do an analysis using BTS data to help make this
>    decision. If we need formal success criteria and a clearly defined
>    team who'll make the call, I'm happy to think about it. But here
>    again I'd rather focus on the general idea than on implementation
>    details at this point.
> 
> Questions and Answers
> =====================
> 
> What do other distributions do?
> -------------------------------
> 
> AppArmor has been enabled by default in several other GNU/Linux
> distributions and Debian derivatives for a while:
> 
>  * in openSUSE + SLES, since 2006
>  * in Ubuntu, since 2008
>  * in Tails, since 2014
>  * in a few other Debian derivatives (Whonix, Subgraph OS) for at
>    least a couple years; I suspect that Simon McVittie can add to
>    the list.

It would be great to know what this actually means like

  * in Tails, since 2014 for all important services like …


> What's the history of AppArmor in Debian?
> -----------------------------------------
> 
> AppArmor has been available (opt-in) in Debian since 2011. In 2014
> a Debian AppArmor packaging team was created, that has been taking
> care of the AppArmor packages and policy since then.
> 
> In the last 3 years the AppArmor policy shipped in Debian was extended
> substantially and its coverage is now on par with Ubuntu's. It's still
> rather small due to the strategy we chose: we wanted to avoid
> traumatizing early adopters and to avoid creating a culture of
> "AppArmor always breaks stuff, let's get used to disabling it".
> So like Ubuntu, we're shipping a rather small and mature AppArmor
> policy. I believe this strategy has been successful so far, but of
> course it has one drawback: most software, including web browsers, is
> not confined with AppArmor whatsoever. Surely with more people

But we already have non-trivial packages that are confined
e.g. thunderbird. Might be worth mentioning as well.

[..snip..]

> 
> What's the cost for package maintainers?
> ----------------------------------------
> 
> Package maintainers have to deal with the aforementioned bug reports,
> whose number is likely to grow significantly once AppArmor is enabled
> by default. This means they have to:
> 
> 1. identify if a bug report can possibly be related to AppArmor;
> 2. either learn how to debug AppArmor issues themselves, or ask for
>    help to the pkg-apparmor team.
> 
> I expect that initially pkg-apparmor will need to provide help is many
> cases, but over time the affected maintainers will slowly learn just
> enough about AppArmor to handle at least the simplest cases
> themselves, just like it happened in Ubuntu years ago.

Are there docs to assist them? If so I'd link to them right away.

[..snip..]

> How can I help?
> ---------------
> 
>  * Enable AppArmor on your Debian systems:
>    https://wiki.debian.org/AppArmor/HowToUse
> 
>  * If you maintain a package that we ship AppArmor policy for:
>    test it with AppArmor enabled before uploading.

This might be off topic but do you already have plans to have packages
autpkg tested under apparmor on ci.debian.net or jenkins.debian.net. or
similar?
Cheers,
 -- Guido

> 
>  * Join the team:
>    https://wiki.debian.org/AppArmor/Contribute

More information about the pkg-apparmor-team mailing list