Michael Stone <mst...@debian.org> writes: > FWIW, I also think apparmor a bad idea, but it's somehow morphed from > "can we make it possible to turn apparmor on" to "let's make RC bugs for > stuff that doesn't work with apparmor" without much real buy-in AFAICT.
Well, it's been possible to turn AppArmor on for a long time. The recent debian-devel discussion was about making it the default, which I think would have made it reasonably obvious that bugs with AppArmor enabled are going to at least have a much higher severity. The proponents were quite clear and unambiguous about what they were trying to do, and there were almost no objections in debian-devel, so it does seem quite reasonable for them to proceed. I'm wholeheartedly in favor of trying to get Debian to integrate well with *some* LSM. I think it's more important to get one of them to work than exactly which one; the security benefits of having *any* LSM in place with halfway decent rule coverage are pretty substantial. I have no particular opinion about the relative merits of AppArmor, but it's being actively developed and Ubuntu has already done a lot of the integration work, so it makes sense for it to be a potential path of least resistance to having some LSM available by default. Maybe SELinux would be better, but various people have been trying to make SELinux better-integrated with Debian for quite some time, and those efforts don't seem to have been particularly successful. Ubuntu has successfully shipped with AppArmor enabled. My personal pet "I don't have time" project I'd love to see is extending systemd units for as many services in Debian as possible to include namespace restrictions and seccomp filter rules, which I think has good parallel potential alongside an LSM for raising the default security posture of Debian. LSMs deal with per-file restrictions much more easily than systemd's seccomp and namespace support, but the seccomp and namespace support does a lot of other nice things that LSMs aren't as good at. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
