On Sun, 2021-09-05 at 12:54 +0200, tito via Dng wrote:
> Hi,
> I'm not very fond of apparmor for various reasons:
>

> 1) I experienced unexpected behavior of programs
>       silently failing to do something (log, run, etc)
>       because the apparmor profile was wrong/bugged

I experienced the same, as my first introduction to AppArmor, and a
couple times more before I did the same as you and purged it.

>

> 2) unless you study every code path in the program you want to
>     supervise the profiles used will not be safe but nobody really
> cares
>      (e.g. maintainer adds a profile that works with the default
> setup
>      of the distro (....if it really works))   

This is a great point and probably the biggest reason I remain unsure
about it, combined with the level of permissions it controls, it's like
giving another root-level program access to every bit of processing
that happens. Yes all programs have code that need to be understood to
be trusted, but a program with root-level authority that polices all
other programs....I need to understand that program a lot better,
before trusting it, than I do basically any other program. Maybe there
are flaws in that thinking, but unless I misunderstand the level of
permission and control AppArmor has, I'm right to be weary of it.

Also, the fact that it comes by default, and is enabled by default, and
has those permissions and capabilities, to me, that's the kind of
program that is likely to be exploited in the future, assuming it's not
exploited now and that the dev's or the project are exploitable one way
or another. The fact that it has such permissions and is enabled by
default, and that it was introduced recently, all of those things
justify suspicion as far as I'm concerned. To my unprofessional but
suspicious eyes, it reminds me of systemd.

Maybe we're wrong, but until we take the time to look at and understand
every line of code, and get to know the project, it seems far safer to
rely on things like firewalls and other trusted security tools.


Gabe