[apparmor] Apparmor chromium complaints

[Mark Ballard]

salut, Jamie.

My question was intended from a user's point of view. It would still be
helpful to know what a user should do in this circumstance. So your note
about developer deliberations over the bug is interesting. But Apparmor
asked for user confirmation for Chromium to perform a range of operations
of outside the usual bounds of good behaviour, as far as it could tell.

The questions are such that, really, only a linux o/s programmer would be
in a position to answer. So naturally, a user will just say yes to the
request and continue from that moment with the assumption that is a
possibility their apparmor security has been compromised. Clearly, it's not
likely. But it defeats the object of including the user in the process if
on the one hand the process demands more of them than they can give and, on
the other hand, it is simply going to undermine their confidence that the
security software has done its job.

So my question is still pertinent: I told Apparmor Yes in all cases. (i)
Was this wise? (ii) Or should I have said no? (iii) If it was wise, why
bother me with it in the first place?

N.B.

This whole user process would be helped a great deal if the Apparmor
requests gave the user all the information they needed to make the
decision. This should be a constraint for any software attempting to use
the Apparmor complaints process:

(i) Provide information about the process/action being complained to the
user: what is it; why is it being done; what are the advantages and
disadvantages for the user in doing it; what are the advantages and
disadvantages for Apparmor security in doing it; why is it necessary to ask
the user to decide this point; in what circumstances should the request be
refused, and with what consequences; in what circumstances should the user
come back and reverse their decision; and

(ii) Record a Yes/No response to the question of whether the user feels
confident they have had all the information they need to make the decision.
Report that info back so a performance audit of the user interface can be
maintained for packages using Apparmor. And give the user an email to use
to raise any queries quickly and easily.

This is assuming that complaint mode would generate enough complaints
routinely to make the above precautions necessary. And that app developers
would be bothered to co-operate. If the former were true but not the
latter, developers might soon get the hang of it when the rankings of user
feedback were posted, to show that, e.g. the majority of Apparmor users had
zero confidence in Chromium security because it was making gobbledygook
requests for users to approve its rogue intrusions into the private corners
of their system.

If Apparmor relies on user decision to secure the system. Then Apparmor and
the system will be inherently insecure if it asks them to make their
decision on insufficient information.

mb.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150616/ecbf8b0e/attachment.html>