Re: Let's enable AppArmor by default (why not?)
- To: debian-devel@lists.debian.org
- Subject: Re: Let's enable AppArmor by default (why not?)
- From: intrigeri <intrigeri@debian.org>
- Date: Sat, 09 Sep 2017 21:09:21 +0200
- Message-id: <[🔎] 85d16zu1su.fsf@boum.org>
- In-reply-to: <9d1412d5-9f48-3af1-70bc-79c44f637c1c@iwakd.de> (Christian Seiler's message of "Wed, 9 Aug 2017 23:00:24 +0200")
- References: <857eyij4fb.fsf@boum.org> <slrnoodm52.55v.jmm@inutil.org> <85zibcr9t5.fsf@boum.org> <226a3f19-63e7-b37c-0b2b-205456609048@iwakd.de> <85a838qy57.fsf@boum.org> <9d1412d5-9f48-3af1-70bc-79c44f637c1c@iwakd.de>
Hi,
Christian Seiler:
> On 08/09/2017 10:33 PM, intrigeri wrote:
>>> Or, conversely, is there a possibility to add a flag to the AppArmor
>>> profile to say "fail to load it if something is not understood"? In
>>> that case all profiles shipped by Debian would not include that (for
>>> interoperability reasons) but it could be documented that as a best
>>> practice for admins they should use that flag so that they can be
>>> sure that all protections they specified are actually affected.
>>
>> If we're fine with relying purely on documentation to address this
>> problem for sysadmins writing their own profiles, then we can suggest
>> they use the existing apparmor_parser options about this:
>>
>> alias apparmor_parser='apparmor_parser --warn=rules-not-enforced --warn=rule-downgraded'
>>
>> … and then no new code needs to be written :)
>>
>> Would that be good enough in your opinion?
> If that documentation is easy enough to find: sure, yes.
For now, I've added this to
https://wiki.debian.org/AppArmor/Contribute#Create_new_profiles
Once we've made progress on the documentation front (see below)
we can ensure that whatever resource we recommend documents this.
> Speaking of: are there any good introductions for AppArmor?
> […]
> For buster, if AppArmor is enabled by default (which btw. I'm in
> favor of, in case that was not clear), I think we should take care
> to nudge people towards the resources that describe best practices.
There are a number of AppArmor tutorials aimed at beginners. We link
to a few of them on https://wiki.debian.org/AppArmor#External_links.
but the mere fact that there are 7 of them, with greatly overlapping
content and no indication of who the target audience is, suggests we
don't have a good answer to your question yet.
So I've filed #874873 (severity: important) to keep this on our radar.
Thanks for caring,
cheers!
--
intrigeri
Reply to: