Robie Basak robie.basak at ubuntu.com
Thu Jan 9 01:21:54 UTC 2014

On Wed, Jan 08, 2014 at 05:53:06PM -0500, John Moser wrote:
> Well, they have a large amount of stuff showing how they've demonstrated
> VM isolation under a paravirtualizing hypervisor to separate out
> security zones on a single system.  X11 is in one VM, some user
> applications are in another VM, other user applications have their own VM...

It isn't the same thing by any means, but I'm generally happy with
AppArmor as a means of constraining individual apps I don't trust (or
that could be more easily compromised) from walking over my system.

It's difficult to confine everything without losing usefulness, as you
point out. Are there any cases where we know how an app could break
AppArmor confinement in a significant way and in the same usability
scenario where having it in a VM would protect you? (I don't count
something like "being able to see a ps listing" as significant here)

More information about the Ubuntu-devel-discuss mailing list