Re: Let's enable AppArmor by default (why not?)

To: debian-devel@lists.debian.org
Subject: Re: Let's enable AppArmor by default (why not?)
From: Chris Lamb <lamby@debian.org>
Date: Wed, 09 Aug 2017 09:10:23 -0400
Message-id: <[🔎] 1502284223.3595759.1068013368.2A4DA774@webmail.messagingengine.com>
In-reply-to: <[🔎] 857eyij4fb.fsf@boum.org>
References: <[🔎] 857eyij4fb.fsf@boum.org>

Hi intrigeri,

> tl;dr: I hereby propose we enable AppArmor by default in testing/sid,
> and decide one year later if we want to keep it this way in the
> Buster release.

Thanks for such a comprehensive and compelling write-up :)

>  * Enable AppArmor on your Debian systems:
>    https://wiki.debian.org/AppArmor/HowToUse

  $ sudo aa-status | head -n2
  apparmor module is loaded.
  49 profiles are loaded.

(Well, I should take more risks, right…?)

>  * If you maintain a package for which we ship AppArmor policy in
>    Debian: test it with AppArmor enabled before uploading.

Related to this, most of my packages are 'server'-ish and it feels
like some of the hardening features are also/already covered by my
systemd .service files.

Should/could I be also reimplementing these in AppArmor for defense
in depth or any comments in this general area?


Best wishes,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

Reply to:

Follow-Ups:
- Re: Let's enable AppArmor by default (why not?)
  - From: intrigeri <intrigeri@debian.org>

References:
- Let's enable AppArmor by default (why not?)
  - From: intrigeri <intrigeri@debian.org>

Prev by Date: Re: Automatic way to install dbgsym packages for a process?
Next by Date: Re: Maintainer information in source packages (was: Re: Returning to the requirement that Uploaders: contain humans)
Previous by thread: Re: Let's enable AppArmor by default (why not?)
Next by thread: Re: Let's enable AppArmor by default (why not?)
Index(es):
- Date
- Thread