Re: Let's enable AppArmor by default (why not?)

[intrigeri <intrigeri@debian.org>]

Hi,

Christian Seiler:
> On 08/09/2017 10:33 PM, intrigeri wrote:
>>> Or, conversely, is there a possibility to add a flag to the AppArmor
>>> profile to say "fail to load it if something is not understood"? In
>>> that case all profiles shipped by Debian would not include that (for
>>> interoperability reasons) but it could be documented that as a best
>>> practice for admins they should use that flag so that they can be
>>> sure that all protections they specified are actually affected.
>> 
>> If we're fine with relying purely on documentation to address this
>> problem for sysadmins writing their own profiles, then we can suggest
>> they use the existing apparmor_parser options about this:
>> 
>>   alias apparmor_parser='apparmor_parser --warn=rules-not-enforced --warn=rule-downgraded'
>> 
>> … and then no new code needs to be written :)
>> 
>> Would that be good enough in your opinion?

> If that documentation is easy enough to find: sure, yes.

For now, I've added this to
https://wiki.debian.org/AppArmor/Contribute#Create_new_profiles

Once we've made progress on the documentation front (see below)
we can ensure that whatever resource we recommend documents this.

> Speaking of: are there any good introductions for AppArmor?
> […]
> For buster, if AppArmor is enabled by default (which btw. I'm in
> favor of, in case that was not clear), I think we should take care
> to nudge people towards the resources that describe best practices.

There are a number of AppArmor tutorials aimed at beginners. We link
to a few of them on https://wiki.debian.org/AppArmor#External_links.
but the mere fact that there are 7 of them, with greatly overlapping
content and no indication of who the target audience is, suggests we
don't have a good answer to your question yet.

So I've filed #874873 (severity: important) to keep this on our radar.

Thanks for caring,
cheers!
-- 
intrigeri