[apparmor] Apparmor chromium complaints

Tue Jun 16 21:05:50 UTC 2015

On 06/16/2015 03:20 AM, Mark Ballard wrote:
> salut, Jamie.
> 
> My question was intended from a user's point of view. It would still be helpful to know what a user should do in this circumstance. So your note about developer deliberations over the bug is interesting. But Apparmor asked for user confirmation for Chromium to perform a range of operations of outside the usual bounds of good behaviour, as far as it could tell.
> 
> The questions are such that, really, only a linux o/s programmer would be in a position to answer. So naturally, a user will just say yes to the request and continue from that moment with the assumption that is a possibility their apparmor security has been compromised. Clearly, it's not likely. But it defeats the object of including the user in the process if on the one hand the process demands more of them than they can give and, on the other hand, it is simply going to undermine their confidence that the security software has done its job.
> 
> So my question is still pertinent: I told Apparmor Yes in all cases. (i) Was this wise? (ii) Or should I have said no? (iii) If it was wise, why bother me with it in the first place?
> 
> N.B.
> 
> This whole user process would be helped a great deal if the Apparmor requests gave the user all the information they needed to make the decision. This should be a constraint for any software attempting to use the Apparmor complaints process:
> 
> (i) Provide information about the process/action being complained to the user: what is it; why is it being done; what are the advantages and disadvantages for the user in doing it; what are the advantages and disadvantages for Apparmor security in doing it; why is it necessary to ask the user to decide this point; in what circumstances should the request be refused, and with what consequences; in what circumstances should the user come back and reverse their decision; and
> 
> (ii) Record a Yes/No response to the question of whether the user feels confident they have had all the information they need to make the decision. Report that info back so a performance audit of the user interface can be maintained for packages using Apparmor. And give the user an email to use to raise any queries quickly and easily.
> 
> This is assuming that complaint mode would generate enough complaints routinely to make the above precautions necessary. And that app developers would be bothered to co-operate. If the former were true but not the latter, developers might soon get the hang of it when the rankings of user feedback were posted, to show that, e.g. the majority of Apparmor users had zero confidence in Chromium security because it was making gobbledygook requests for users to approve its rogue intrusions into the private corners of their system.
> 
> If Apparmor relies on user decision to secure the system. Then Apparmor and the system will be inherently insecure if it asks them to make their decision on insufficient information.
> 
right,

Generally the user can not be trusted to make such decisions. I think the
disconnect is why the profile is in complain mode, and not enabled by
default. The profile is still in development and is not ready for the
average user. It is made available for anyone to enable but really should
carry comments/warnings about its status.