Hi, Christian Seiler: > On 08/09/2017 10:33 PM, intrigeri wrote: >>> Or, conversely, is there a possibility to add a flag to the AppArmor >>> profile to say "fail to load it if something is not understood"? In >>> that case all profiles shipped by Debian would not include that (for >>> interoperability reasons) but it could be documented that as a best >>> practice for admins they should use that flag so that they can be >>> sure that all protections they specified are actually affected. >> >> If we're fine with relying purely on documentation to address this >> problem for sysadmins writing their own profiles, then we can suggest >> they use the existing apparmor_parser options about this: >> >> alias apparmor_parser='apparmor_parser --warn=rules-not-enforced >> --warn=rule-downgraded' >> >> … and then no new code needs to be written :) >> >> Would that be good enough in your opinion?
> If that documentation is easy enough to find: sure, yes. For now, I've added this to https://wiki.debian.org/AppArmor/Contribute#Create_new_profiles Once we've made progress on the documentation front (see below) we can ensure that whatever resource we recommend documents this. > Speaking of: are there any good introductions for AppArmor? > […] > For buster, if AppArmor is enabled by default (which btw. I'm in > favor of, in case that was not clear), I think we should take care > to nudge people towards the resources that describe best practices. There are a number of AppArmor tutorials aimed at beginners. We link to a few of them on https://wiki.debian.org/AppArmor#External_links. but the mere fact that there are 7 of them, with greatly overlapping content and no indication of who the target audience is, suggests we don't have a good answer to your question yet. So I've filed #874873 (severity: important) to keep this on our radar. Thanks for caring, cheers! -- intrigeri
