Web lists-archives.com

Re: recommends for apparmor in newest linux-image-4.13




On Thu, Nov 23, 2017 at 03:43:10PM +0100, Lars Wirzenius wrote:
> 
> do you think you could manage to either point the general -devel
> reading population to a discussion of why using AppArmor by default is
> horrible news, or write that yourself? That would seem to be more
> constructive than you just showing up after months of discussion
> saying it's horrible news.

It's just a bad idea of a security model that implements ad-hoc
and mostly path based restrictions instead of an actually verified
security model.  Using that by default makes it much harder to actually
use a real MAC based security model, which not only is required for
various security sensitive deployments but also a good idea in general.

Last but not least apparmor had various issues where certain distros
shipped non-upstream features that later turned out to be incompatible
with what went upstream.