On Sun, 05 Sep 2021 10:18:15 +0000
g4sra via Dng <dng@lists.dyne.org> wrote:
> On Sunday, September 5th, 2021 at 11:15 AM, tito <farmat...@tiscali.it> wrote:
> > On Sun, 05 Sep 2021 08:54:14 +0000
> > g4sra via Dng dng@lists.dyne.org wrote:
> > > <--snip-->
> > > > Comments and better ideas are welcome.
> > > Apparmor
> > Hi,
> > the cure is worse than the disease ;-)
> How is Apparmor abusive ?
>
Hi,
I'm not very fond of apparmor for various reasons:
1) I experienced unexpected behavior of programs
silently failing to do something (log, run, etc)
because the apparmor profile was wrong/bugged
2) unless you study every code path in the program you want to
supervise the profiles used will not be safe but nobody really cares
(e.g. maintainer adds a profile that works with the default setup
of the distro (....if it really works))
3) if you use a customized setup of services or other programs
it is highly probable that the profiles will not work for you
Summary:
apparmor gets in the way of doing stuff and
in the end adds just one more software layer
with a million code lines and the inevitable
programming errors, so in my humble opinion
it just adds complexity (bad!) with no guarantee of improving
security (not so good!) and makes linux more
windows-like (worse!!).
Addendum:
Quis custodiet ipsos custodes?
What will be the next evolutionary step, will we need
a new layer that secures apparmor?
My Solution:
To avoid all of this trouble and reduce complexity I pin -1
apparmor in apt preferences, purge it and everything related
and disable it on the kernel command line with apparmor=0
and everything is smooth, understandable and reliable again
as it has been "in saecula saeculorum".
Ciao,
Tito
_______________________________________________
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
