Re: recommends for apparmor in newest linux-image-4.13

To: debian-devel@lists.debian.org
Subject: Re: recommends for apparmor in newest linux-image-4.13
From: Russ Allbery <rra@debian.org>
Date: Tue, 28 Nov 2017 20:22:50 -0800
Message-id: <[🔎] 87609tg1d1.fsf@hope.eyrie.org>
In-reply-to: <[🔎] 18deb24e-d4b3-11e7-9b6a-00163eeb5320@msgid.mathom.us> (Michael Stone's message of "Tue, 28 Nov 2017 22:16:01 -0500")
References: <[🔎] 20171123131846.GA27575@lst.de> <[🔎] 1511445349.14687.63.camel@decadent.org.uk> <[🔎] 20171123135822.GA28776@lst.de> <[🔎] 1511445584.14687.64.camel@decadent.org.uk> <[🔎] 20171123140109.GA28885@lst.de> <[🔎] 20171123144310.gac6zwqysfzdsh3i@exolobe3> <[🔎] 20171128185445.GA5602@lst.de> <[🔎] 20171128230308.GB769@bongo.bofh.it> <[🔎] 18deb24e-d4b3-11e7-9b6a-00163eeb5320@msgid.mathom.us>

Michael Stone <mstone@debian.org> writes:

> FWIW, I also think apparmor a bad idea, but it's somehow morphed from
> "can we make it possible to turn apparmor on" to "let's make RC bugs for
> stuff that doesn't work with apparmor" without much real buy-in AFAICT.

Well, it's been possible to turn AppArmor on for a long time.  The recent
debian-devel discussion was about making it the default, which I think
would have made it reasonably obvious that bugs with AppArmor enabled are
going to at least have a much higher severity.

The proponents were quite clear and unambiguous about what they were
trying to do, and there were almost no objections in debian-devel, so it
does seem quite reasonable for them to proceed.

I'm wholeheartedly in favor of trying to get Debian to integrate well with
*some* LSM.  I think it's more important to get one of them to work than
exactly which one; the security benefits of having *any* LSM in place with
halfway decent rule coverage are pretty substantial.  I have no particular
opinion about the relative merits of AppArmor, but it's being actively
developed and Ubuntu has already done a lot of the integration work, so it
makes sense for it to be a potential path of least resistance to having
some LSM available by default.

Maybe SELinux would be better, but various people have been trying to make
SELinux better-integrated with Debian for quite some time, and those
efforts don't seem to have been particularly successful.  Ubuntu has
successfully shipped with AppArmor enabled.

My personal pet "I don't have time" project I'd love to see is extending
systemd units for as many services in Debian as possible to include
namespace restrictions and seccomp filter rules, which I think has good
parallel potential alongside an LSM for raising the default security
posture of Debian.  LSMs deal with per-file restrictions much more easily
than systemd's seccomp and namespace support, but the seccomp and
namespace support does a lot of other nice things that LSMs aren't as good
at.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: recommends for apparmor in newest linux-image-4.13
  - From: Jonathan Dowland <jmtd@debian.org>
- Re: recommends for apparmor in newest linux-image-4.13
  - From: "W. Martin Borgert" <debacle@debian.org>
- Re: recommends for apparmor in newest linux-image-4.13
  - From: Michael Stone <mstone@debian.org>

References:
- recommends for apparmor in newest linux-image-4.13
  - From: Christoph Hellwig <hch@lst.de>
- Re: recommends for apparmor in newest linux-image-4.13
  - From: Ben Hutchings <ben@decadent.org.uk>
- Re: recommends for apparmor in newest linux-image-4.13
  - From: Christoph Hellwig <hch@lst.de>
- Re: recommends for apparmor in newest linux-image-4.13
  - From: Ben Hutchings <ben@decadent.org.uk>
- Re: recommends for apparmor in newest linux-image-4.13
  - From: Christoph Hellwig <hch@lst.de>
- Re: recommends for apparmor in newest linux-image-4.13
  - From: Lars Wirzenius <liw@liw.fi>
- Re: recommends for apparmor in newest linux-image-4.13
  - From: Christoph Hellwig <hch@lst.de>
- Re: recommends for apparmor in newest linux-image-4.13
  - From: md@Linux.IT (Marco d'Itri)
- Re: recommends for apparmor in newest linux-image-4.13
  - From: Michael Stone <mstone@debian.org>

Prev by Date: Re: recommends for apparmor in newest linux-image-4.13
Next by Date: Bug#883046: ITP: apertium-crh-tur -- Apertium translation data for the Crimean Tatar-Turkish pair
Previous by thread: Re: recommends for apparmor in newest linux-image-4.13
Next by thread: Re: recommends for apparmor in newest linux-image-4.13
Index(es):
- Date
- Thread