Web lists-archives.com

Re: recommends for apparmor in newest linux-image-4.13




Michael Stone <mstone@xxxxxxxxxx> writes:

> FWIW, I also think apparmor a bad idea, but it's somehow morphed from
> "can we make it possible to turn apparmor on" to "let's make RC bugs for
> stuff that doesn't work with apparmor" without much real buy-in AFAICT.

Well, it's been possible to turn AppArmor on for a long time.  The recent
debian-devel discussion was about making it the default, which I think
would have made it reasonably obvious that bugs with AppArmor enabled are
going to at least have a much higher severity.

The proponents were quite clear and unambiguous about what they were
trying to do, and there were almost no objections in debian-devel, so it
does seem quite reasonable for them to proceed.

I'm wholeheartedly in favor of trying to get Debian to integrate well with
*some* LSM.  I think it's more important to get one of them to work than
exactly which one; the security benefits of having *any* LSM in place with
halfway decent rule coverage are pretty substantial.  I have no particular
opinion about the relative merits of AppArmor, but it's being actively
developed and Ubuntu has already done a lot of the integration work, so it
makes sense for it to be a potential path of least resistance to having
some LSM available by default.

Maybe SELinux would be better, but various people have been trying to make
SELinux better-integrated with Debian for quite some time, and those
efforts don't seem to have been particularly successful.  Ubuntu has
successfully shipped with AppArmor enabled.

My personal pet "I don't have time" project I'd love to see is extending
systemd units for as many services in Debian as possible to include
namespace restrictions and seccomp filter rules, which I think has good
parallel potential alongside an LSM for raising the default security
posture of Debian.  LSMs deal with per-file restrictions much more easily
than systemd's seccomp and namespace support, but the seccomp and
namespace support does a lot of other nice things that LSMs aren't as good
at.

-- 
Russ Allbery (rra@xxxxxxxxxx)               <http://www.eyrie.org/~eagle/>