Re: Let's enable AppArmor by default (why not?)
- Date: Thu, 10 Aug 2017 14:38:13 -0700
- From: John Johansen <john.johansen@xxxxxxxxxxxxx>
- Subject: Re: Let's enable AppArmor by default (why not?)
On 08/10/2017 02:23 PM, Simon McVittie wrote:
> On Thu, 10 Aug 2017 at 12:00:15 -0700, John Johansen wrote:
>> but ideally would be enabled by the dbus code advising the
>> kernel module it is mediating
> "The" dbus code? There can be several parallel instances of dbus-daemon,
> possibly different versions of the executable, certainly differently
> configured, which can result in any combination of them having
> AppArmor mediation enabled or disabled. For example a typical GNOME
> laptop will have a system bus, a session bus for the system user
> that runs the gdm greeter, and a session bus for the logged-in user
> It is meaningful to ask whether a specific dbus-daemon instance is
> applying AppArmor mediation, and the latest development branches
> advertise this by putting "apparmor" in the bus driver's Features
> property. In general it isn't necessarily meaningful to say
> "the dbus-daemons running on this kernel are applying AppArmor
> mediation" because some of them might be an executable that doesn't
> support it, and some of them might support it but have it disabled
> in configuration.
> So I think this is something that should be queried by asking each
> dbus-daemon whether it is mediating, rather than by asking the kernel.
yep having a way to detect/ask individual deamons is the way to go.
I was merely commenting on that the current kernel flag not being
reflective of actual mediation. Which the dbus daemon is providing, and
it (they) should be what is setting the support status, whether in
kernel or by a different means.
Regardless we will be keeping the kernel flag for several years to
provide backwards compat for newer kernels on earlier releases.