Re: Let's enable AppArmor by default (why not?)
On 08/09/2017 10:33 PM, intrigeri wrote:
> Christian Seiler:
>> On 08/06/2017 05:32 PM, intrigeri wrote:
>>> Rules that are not supported by the running kernel are silently
>>> ignored, i.e. the operation is allowed.
>> Is there at least a warning during the load of the profile?
> There used to be a warning, but it was causing lots of confusion in
> Debian: users were wondering if *any* of the AppArmor profile that
> caused warning was applied at all. So in Jessie we decided to hide
> these warnings.
Good to know. And since this kind of warning is more likely to lead
people to disable AppArmor altogether because they want to get rid
of the message and are scared by it, you're probably right in
removing that warning, because limited AppArmor protections are
probably still better as a defense-in-depth strategy than none at
>> Or, conversely, is there a possibility to add a flag to the AppArmor
>> profile to say "fail to load it if something is not understood"? In
>> that case all profiles shipped by Debian would not include that (for
>> interoperability reasons) but it could be documented that as a best
>> practice for admins they should use that flag so that they can be
>> sure that all protections they specified are actually affected.
> If we're fine with relying purely on documentation to address this
> problem for sysadmins writing their own profiles, then we can suggest
> they use the existing apparmor_parser options about this:
> alias apparmor_parser='apparmor_parser --warn=rules-not-enforced --warn=rule-downgraded'
> … and then no new code needs to be written :)
> Would that be good enough in your opinion?
If that documentation is easy enough to find: sure, yes.
Speaking of: are there any good introductions for AppArmor? Not
necessarily for me personally (I've had some experience with
SELinux, so I recon I'll figure AppArmor out easily enough), but
for beginners? Something I can point friends of mine to? Ideally
something that doesn't just describe the syntax, but also best
practices? When I first ran into SELinux I found a couple of
tutorials which did things where I thought, well this doesn't
seem quite well enough thought out, I can think of a couple of
corner cases where this would fainot do what it was advertising,
only to later find that my impression was true and people with
even more knowledge of SELinux talked about not doing the things
I had seen in these tutorials, and suggesting more sensible
things as best practices. Unfortunately the writings by the real
experts were not in tutorial form. For buster, if AppArmor is
enabled by default (which btw. I'm in favor of, in case that was
not clear), I think we should take care to nudge people towards
the resources that describe best practices.