Web lists-archives.com

Re: Let's enable AppArmor by default (why not?)




Hi intrigeri,

> tl;dr: I hereby propose we enable AppArmor by default in testing/sid,
> and decide one year later if we want to keep it this way in the
> Buster release.

Thanks for such a comprehensive and compelling write-up :)

>  * Enable AppArmor on your Debian systems:
>    https://wiki.debian.org/AppArmor/HowToUse

  $ sudo aa-status | head -n2
  apparmor module is loaded.
  49 profiles are loaded.

(Well, I should take more risks, right…?)

>  * If you maintain a package for which we ship AppArmor policy in
>    Debian: test it with AppArmor enabled before uploading.

Related to this, most of my packages are 'server'-ish and it feels
like some of the hardening features are also/already covered by my
systemd .service files.

Should/could I be also reimplementing these in AppArmor for defense
in depth or any comments in this general area?


Best wishes,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@xxxxxxxxxx / chris-lamb.co.uk
       `-