> On Sunday, September 5th, 2021 at 11:15 AM, tito <farmatito@???> wrote:
> > On Sun, 05 Sep 2021 08:54:14 +0000
> > g4sra via Dng dng@??? wrote:
> > > <--snip-->
> > > >     Comments and better ideas are welcome.
> > > Apparmor
> > Hi,
> > the cure is worse than the disease ;-)
> How is Apparmor abusive ?

1) I experienced unexpected behavior of programs
      silently failing to do something (log, run, etc)
      because the apparmor profile was wrong/bugged

2) unless you study every code path in the program you want to
    supervise the profiles used will not be safe but nobody really cares
     (e.g. maintainer adds a profile that works with the default setup
     of the distro (....if it really works))     

3) if you use a customized setup of services or other programs
      it is highly probable that the profiles will not work for you

Summary:
       apparmor gets in the way of doing stuff and
     in the end adds just one more software layer
     with a million code lines and the inevitable 
     programming errors, so in my humble opinion
     it just adds complexity (bad!) with no guarantee of improving
     security (not so good!) and makes linux more
     windows-like (worse!!).  

Addendum:       

      Quis custodiet ipsos custodes?

    What will be the next evolutionary step, will we need
    a new layer that secures apparmor?