Re: Let's enable AppArmor by default (why not?)
- To: debian-devel@lists.debian.org
- Subject: Re: Let's enable AppArmor by default (why not?)
- From: intrigeri <intrigeri@debian.org>
- Date: Sun, 05 Nov 2017 17:40:20 +0100
- Message-id: <[🔎] 85efpcvfuz.fsf@boum.org>
- In-reply-to: <20171031183146.yyvj4e6wqtlxpfrk@perpetual.pseudorandom.co.uk> (Simon McVittie's message of "Tue, 31 Oct 2017 18:31:46 +0000")
- References: <857eyij4fb.fsf@boum.org> <fbb325ce-c21a-84f8-bece-d3e1696b66c7@debian.org> <ff7330ca-d813-5497-84fb-dff0e709bd32@t-online.de> <23473de1-4b90-80eb-9e1f-2485aa9db1a8@philkern.de> <5d6d0cfa-d739-759c-a536-8be883920cb0@iwakd.de> <20171031183146.yyvj4e6wqtlxpfrk@perpetual.pseudorandom.co.uk>
Hi,
thanks Christian and Simon for summing up the problem and pointing
to promising work.
As mentioned in my introductory email I don't think it's worth putting
too much effort into AppArmor for the GUI apps use case, and one
should not expect too much security from it. I suggest anyone
interested in major redesigns and solutions for the bright future to
look into the "security by designation" concept & the corresponding
implementations in Flatpak and friends instead.
This is why my preferred strategy here is to focus on the low-hanging
fruits i.e. ship policy that works well already, or needs only small
amounts of polishing.
For more complex cases for which AppArmor is not well suited, let's
either make the profile wide enough to avoid breaking stuff (at the
cost of making it provide little security) or simply disable it by
default. Thunderbird is definitely one of these complex cases so let's
keep an eye on it: if AppArmor is too disruptive there then we will
disable it by default for Thunderbird.
Cheers,
--
intrigeri
Reply to: