On Mon, Nov 27, 2017 at 09:58:40PM +0000, Rowland Penny wrote: > > Hi, a guy has just asked a question on the samba mailing list about > apparmor and Samba, it seems that last week, apparmor became a > dependency for the kernel on Buster, because of systemd.
Uhh, it's no dependency, merely a Recommends:. You're free to drop it, although in which case you need to boot with apparmor=0. > Can I take it this dependency will be removed in Beowulf ? It looks like apparmor causes some problems, but like many security hardening measures, it might or might not be worth it in the end. That's why the announcement says it will be reevaluated before Buster's freeze. Apparmor guys tested it for a long time as non-default, and only then pushed as the default for wider testing. If you don't want to help them by reporting issues, just disable it (apparmor=0 or build a kernel that doesn't load apparmor by default). I have enough on my plate so I opted out this way, too! But testing by people who run Devuan is especially valuable: you're more likely to find bugs that trigger when running without systemd. And bugs are easy to fix before the release... Enabling any LSM by default has such problems. I for one want to block '\n' and bytes 1-31,127 in file names as IMHO they have no legitimate use but cause problems, including security ones. A simple patch to ban them was NACKed and I was told to re-do this as a LSM. Which I'm going to do, and once tested, I'll harass Debian's kernel maintainers to enable by default. Thus, feel forewarned if you value your freedom to have \n in file names by default. Meow! -- ⢀⣴⠾⠻⢶⣦⠀ Mozilla's Hippocritical Oath: "Keep trackers off your trail" ⣾⠁⢰⠒⠀⣿⡁ blah blah evading "tracking technology" blah blah ⢿⡄⠘⠷⠚⠋⠀ "https://click.e.mozilla.org/?qs=e7bb0dcf14b1013fca3820..."; ⠈⠳⣄⠀⠀⠀⠀ (same for all links) _______________________________________________ Dng mailing list [email protected] https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
