Re: recommends for apparmor in newest linux-image-4.13
On Thu, Nov 23, 2017 at 03:43:10PM +0100, Lars Wirzenius wrote:
>
> do you think you could manage to either point the general -devel
> reading population to a discussion of why using AppArmor by default is
> horrible news, or write that yourself? That would seem to be more
> constructive than you just showing up after months of discussion
> saying it's horrible news.
It's just a bad idea of a security model that implements ad-hoc
and mostly path based restrictions instead of an actually verified
security model. Using that by default makes it much harder to actually
use a real MAC based security model, which not only is required for
various security sensitive deployments but also a good idea in general.
Last but not least apparmor had various issues where certain distros
shipped non-upstream features that later turned out to be incompatible
with what went upstream.
Reply to: