Re: Let's enable AppArmor by default (why not?)
Christian Seiler writes ("Re: Let's enable AppArmor by default (why not?)"):
> - Or one whitelists certain applications. This will have the
> unfortunate side-effect that any time the user installs a piece of
> software that isn't on that whitelist (or wants to use their own
> wrapper script) it won't work (because of AppArmor) - and
> unfortunately many users will then simply resort to disabling
> AppArmor in that case instead of actually creating a locally
> adapted policy. (Yes, sysadmins might not, but simple desktop
> users will - I know way too many people who simply don't even want
> to use group ownership and instead are happy to just do a
> chmod 0777 - and groups are mentally a lot simpler than AppArmor.)
I think this whitelisting approach is best. The reason is that most
of our system has not been hardened and audited against malicious
files. The need for an entry on the whitelist means that some
developer somewhere has decided that yes, this specific program should
be automaticaly exposed to potentially hostile data.
The lack of a useable exception mechanism, with a sensible UI, is a
big problem though. Ideally you would ask the user something like
This { email attachment | web download } is a DESCRIPTION. The
program for this is NAME but it has not been audited for security.
If you're not expecting this kind of file then you probably didn't
want to open it - it might be malware.
[[ Don't open ]]
[ Open this once ]
[ Always open these kinds of files without asking ]
You can change your mind about "always" by going to "settings"
/ "security" in the { Thunderbird | Firefox } menu.
Ian.
--
Ian Jackson <ijackson@chiark.greenend.org.uk> These opinions are my own.
If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.
Reply to: