On Sun, 2021-09-05 at 12:54 +0200, tito via Dng wrote: > Hi, > I'm not very fond of apparmor for various reasons: > > 1) I experienced unexpected behavior of programs > silently failing to do something (log, run, etc) > because the apparmor profile was wrong/bugged
I experienced the same, as my first introduction to AppArmor, and a couple times more before I did the same as you and purged it. > > 2) unless you study every code path in the program you want to > supervise the profiles used will not be safe but nobody really > cares > (e.g. maintainer adds a profile that works with the default > setup > of the distro (....if it really works)) This is a great point and probably the biggest reason I remain unsure about it, combined with the level of permissions it controls, it's like giving another root-level program access to every bit of processing that happens. Yes all programs have code that need to be understood to be trusted, but a program with root-level authority that polices all other programs....I need to understand that program a lot better, before trusting it, than I do basically any other program. Maybe there are flaws in that thinking, but unless I misunderstand the level of permission and control AppArmor has, I'm right to be weary of it. Also, the fact that it comes by default, and is enabled by default, and has those permissions and capabilities, to me, that's the kind of program that is likely to be exploited in the future, assuming it's not exploited now and that the dev's or the project are exploitable one way or another. The fact that it has such permissions and is enabled by default, and that it was introduced recently, all of those things justify suspicion as far as I'm concerned. To my unprofessional but suspicious eyes, it reminds me of systemd. Maybe we're wrong, but until we take the time to look at and understand every line of code, and get to know the project, it seems far safer to rely on things like firewalls and other trusted security tools. Gabe _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng