Re: Let's enable AppArmor by default (why not?)
- Date: Wed, 09 Aug 2017 16:33:40 -0400
- From: intrigeri <intrigeri@xxxxxxxxxx>
- Subject: Re: Let's enable AppArmor by default (why not?)
> On 08/06/2017 05:32 PM, intrigeri wrote:
>> Rules that are not supported by the running kernel are silently
>> ignored, i.e. the operation is allowed.
> Is there at least a warning during the load of the profile?
There used to be a warning, but it was causing lots of confusion in
Debian: users were wondering if *any* of the AppArmor profile that
caused warning was applied at all. So in Jessie we decided to hide
> Or, conversely, is there a possibility to add a flag to the AppArmor
> profile to say "fail to load it if something is not understood"? In
> that case all profiles shipped by Debian would not include that (for
> interoperability reasons) but it could be documented that as a best
> practice for admins they should use that flag so that they can be
> sure that all protections they specified are actually affected.
If we're fine with relying purely on documentation to address this
problem for sysadmins writing their own profiles, then we can suggest
they use the existing apparmor_parser options about this:
alias apparmor_parser='apparmor_parser --warn=rules-not-enforced --warn=rule-downgraded'
… and then no new code needs to be written :)
Would that be good enough in your opinion?
Thanks for all this useful input!