:: Re: [DNG] KUserFeedback
トップ ページ
このメッセージを削除
このメッセージに返信
著者: tito
日付:  
To: dng
題目: Re: [DNG] KUserFeedback
On Sun, 05 Sep 2021 10:18:15 +0000
g4sra via Dng <dng@???> wrote:

> On Sunday, September 5th, 2021 at 11:15 AM, tito <farmatito@???> wrote:
> > On Sun, 05 Sep 2021 08:54:14 +0000
> > g4sra via Dng dng@??? wrote:
> > > <--snip-->
> > > >     Comments and better ideas are welcome.
> > > Apparmor
> > Hi,
> > the cure is worse than the disease ;-)
> How is Apparmor abusive ?

>


Hi,
I'm not very fond of apparmor for various reasons:

1) I experienced unexpected behavior of programs
      silently failing to do something (log, run, etc)
      because the apparmor profile was wrong/bugged


2) unless you study every code path in the program you want to
    supervise the profiles used will not be safe but nobody really cares
     (e.g. maintainer adds a profile that works with the default setup
     of the distro (....if it really works))     


3) if you use a customized setup of services or other programs
      it is highly probable that the profiles will not work for you


Summary:
       apparmor gets in the way of doing stuff and
     in the end adds just one more software layer
     with a million code lines and the inevitable 
     programming errors, so in my humble opinion
     it just adds complexity (bad!) with no guarantee of improving
     security (not so good!) and makes linux more
     windows-like (worse!!).  


Addendum:       


      Quis custodiet ipsos custodes?


    What will be the next evolutionary step, will we need
    a new layer that secures apparmor? 


My Solution:

To avoid all of this trouble and reduce complexity I pin -1
apparmor in apt preferences, purge it and everything related
and disable it on the kernel command line with apparmor=0
and everything is smooth, understandable and reliable again
as it has been "in saecula saeculorum".

Ciao,
Tito