[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Let's enable AppArmor by default (why not?)

Mathieu Parent:
> Could'nt we:

> 5. Make linux-image-$abi-$arch Depends on apparmor | selinux-basics |
> tomoyo-tools | linux-no-lsm

> With linux-no-lsm being a new empty package, and all of apparmor,
> selinux-basics, tomoyo-tools enable the corresponding LSM.

This would be ideal on the long term and a lot of thought has been put
into it (#702030), but it requires quite some work in various places
and AFAIK nobody looked into how it could work for non-GRUB
bootloaders; I suspect some of the major bootloaders we support don't
offer the same flexibility as GRUB wrt. random packages injecting
parameters on the kernel command line.

As Ben Hutchings wrote on https://bugs.debian.org/879590#10, "We
really should have a common way to append things to the kernel command
line […] but this shouldn't have to wait for that" with which
I couldn't agree more.

Thankfully we already have another, cheap solution to address the "how
to enable the AppArmor LSM in the kernel" problem :) So now I'd rather
focus on the other, remaining problem, i.e. "how to pull in the
AppArmor policy + userspace tools".


Reply to: