Web lists-archives.com

Re: Let's enable AppArmor by default (why not?)




Hi,

Moritz Mühlenhoff:
> I'd expect that a lot of the AppArmor profiles currently in use are
> coming from Ubuntu or OpenSUSE.

Yes, historically (most of them are now maintained via a cross-distro
collaborative effort that a few Debian people participate in).

> If one of those profiles relies on features which are not upstreamed
> on the kernel end, how's that handled?

Rules that are not supported by the running kernel are silently
ignored, i.e. the operation is allowed.

For example, the profile for ping(8) specifies:

  network inet raw,
  network inet6 raw,

In Ubuntu, and in Debian once network socket mediation support lands
in Linux mainline, this means "no socket(2) based operation is allowed
except inet and inet6 raw sockets". In current Debian, no network
mediation by AppArmor is available so all socket(2) based operations
are allowed.

This way:

 * the same profile can be shared between distros, regardless of
   whether they apply not-upstreamed-yet AppArmor kernel patches;

 * once new AppArmor features land in Linux mainline, we automatically
   benefit from stronger confinement that's already implemented in our
   AppArmor policy.

Cheers,
-- 
intrigeri