:: Re: [DNG] apparmor? (was Re: What d…
Top Page
Delete this message
Reply to this message
Author: dng@d404.nl
Date:  
To: dng
Subject: Re: [DNG] apparmor? (was Re: What does this remind you of?)
On 07-03-2021 19:39, al3xu5 wrote:
> Sun, 7 Mar 2021 19:11:18 +0100 - "dng@???" <dng@???>:
>
>> On 07-03-2021 18:20, tito via Dng wrote:
> [...] I personally would scrap:
> [..]
>>> apparmor
> [...]
>>> Tito
>> Mostly agree with you and in its current state apparmor belongs to this
>> list. In the same time I like the idea of apparmor in limiting apps
>> behavior. It could be most useful if implemented correctly.
>> Nick
>
> Hi
>
> I have:
>
> ~~~
> $ sudo service apparmor status
>
> apparmor module is loaded.
> 17 profiles are loaded.
> 17 profiles are in enforce mode.
>    /usr/bin/man
>    /usr/lib/cups/backend/cups-pdf
>    /usr/lib/x86_64-linux-gnu/lightdm/lightdm-guest-session
>    /usr/lib/x86_64-linux-gnu/lightdm/lightdm-guest-session//chromium
>    /usr/sbin/cups-browsed
>    /usr/sbin/cupsd
>    /usr/sbin/cupsd//third_party
>    /usr/sbin/libvirtd
>    /usr/sbin/libvirtd//qemu_bridge_helper
>    /usr/sbin/ntpd
>    /usr/sbin/tcpdump
>    man_filter
>    man_groff
>    nvidia_modprobe
>    nvidia_modprobe//kmod
>    system_tor
>    virt-aa-helper
> 0 profiles are in complain mode.
> 6 processes have profiles defined.
> 6 processes are in enforce mode.
>    /usr/sbin/cups-browsed (2446) 
>    /usr/sbin/cupsd (12205) 
>    /usr/lib/cups/notifier/dbus (12208) /usr/sbin/cupsd
>    /usr/sbin/libvirtd (3278) 
>    /usr/sbin/ntpd (3030) 
>    /usr/bin/tor (3200) system_tor
> 0 processes are in complain mode.
> 0 processes are unconfined but have a profile defined.
> ~~~

>
> I have done nothing (I can remember) about apparmor configuration and
> profiles...
>
> Maybe it was installed by default or maybe I had installed it ages ago and
> it hasremained over time, a dist-upgrade after the other.
>
> So, I would like your advice: is there any sense that I keep it on the
> system? Or can I do without quietly?
>
> Thanks in advance.
>
> Regards
> al3xu5
>
>
> _______________________________________________
> Dng mailing list
> Dng@???
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng


In its current state (with little updated profiles working with enforce)
it does not add much to your daily use imo. According to
https://wiki.debian.org/AppArmor/HowToUse#Disable_AppArmor it is enabled
by default in Debian 10. And you can disable it with a kernel parameter
in grub.

Grtz.

Nick