[apparmor] RFC: draft proposal for enabling AppArmor by default in Debian

Fri Aug 4 18:46:45 UTC 2017

Hello,

Am Freitag, 4. August 2017, 14:07:17 CEST schrieb Simon McVittie:
> On Thu, 03 Aug 2017 at 17:20:20 -0400, intrigeri wrote:
> > Hi Debian AppArmor team, upstream AppArmor people, people who
> > volunteered to review this text, a few maintainers of packages that
> > include AppArmor policy, and some innocent bystanders!
> 
> You have presented the case for enabling AppArmor well, so here is the
> devil's-advocate position: issues with doing so.
> 
> > AppArmor confines programs according to a set of rules that specify
> > what operations a given program can access, e.g. it can prevent your
> > PDF reader and video player from accessing your GnuPG secrets keys
> > and executing arbitrary code. This proactive approach helps protect
> > the system against both known and unknown vulnerabilities.
> 
> Does it, though? To judge the value of AppArmor, I don't think it's
> enough to know how many wrong denials we have (functionality being
> broken by AppArmor): we should also understand how many attacks would
> have been mitigated or prevented by it.

Wrong distribution, but still - it prevented exploiting Sambacry aka 
CVE-2017-7494 on openSUSE :-) - https://lists.opensuse.org/opensuse-security-announce/2017-05/msg00067.html
(BTW: openSUSE has a nice script that updates the samba profile based on 
the configured shares which helped a lot to reduce complaints about the 
Samba AppArmor profile.)

Another practical example is Dirtycow - I played with two of the sample 
exploits, and AppArmor was able to keep that cow clean ;-)

> My experience has been that updates to lower-level libraries like SDL
> and udev frequently cause me to have to update my profiles, even
> without code changes to what I actually maintain. If they were in
> enforcing mode, functionality would presumably have been lost.

Just curious - can you give some examples (especially the needed profile 
changes) for this?

> Games are pretty much the perfect example of something that should
> have AppArmor profiles - their legitimate interactions with user files
> are minimal, and I like to characterise them (not entirely jokingly)
> as basically a series of security flaws joined together by a physics
> engine. 

*lol*

Regards,

Christian Boltz
-- 
The updated behavior seems to be that this is happening on a weekly
basis like clockwork. The problem disappears approximately somewhere
between Wednesday to Saturday each week, only to reappear somewhere
approximately Sunday to Wednesday each week. [Ton Su in bnc#727586]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170804/e39be4f1/attachment.pgp>