[pkg-apparmor] Bug#830502: apparmor-profiles: Reconsider what profiles are shipped in /etc/apparmor.d/ and in which mode
Seth Arnold
seth.arnold at canonical.com
Wed Jul 5 23:20:26 UTC 2017
On Tue, Jul 04, 2017 at 09:52:55AM +0200, intrigeri wrote:
> Drawbacks of shipping not-quite-ready-yet profiles (in complain mode)
> in /etc/apparmor.d/:
>
> * it's hard to communicate to users the quality of these profiles,
> and where bugs/improvements shall be submitted; currently we have
Complain-mode profiles can also have significant performance penalties:
- Verbose logging can steal IOPS and keep hard drives from going to sleep.
- Missing 'x' rules can lead to enormous kernel memory use due to
auto-generated //null- profiles.
- The kernel memory pressure can induce premature swapping which hurts
extra hard when the log files are seeing constant IO.
There's not much middle ground between "good enough to be enabled by
default" and "should not be enabled by default". If we don't trust it
to be correct for the vast majority of users, we shouldn't enable it by
default, even if unconfined. The penalties for those few can be pretty
steep and that leads to turning off AppArmor entirely rather than just
the one profile that's not ready.
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-apparmor-team/attachments/20170705/30ae6246/attachment.sig>
More information about the pkg-apparmor-team
mailing list