(forwarding Seth's reply to the bug report)
--- Begin Message ---On Tue, Jul 04, 2017 at 09:52:55AM +0200, intrigeri wrote: > Drawbacks of shipping not-quite-ready-yet profiles (in complain mode) > in /etc/apparmor.d/: > > * it's hard to communicate to users the quality of these profiles, > and where bugs/improvements shall be submitted; currently we haveComplain-mode profiles can also have significant performance penalties: - Verbose logging can steal IOPS and keep hard drives from going to sleep. - Missing 'x' rules can lead to enormous kernel memory use due to auto-generated //null- profiles. - The kernel memory pressure can induce premature swapping which hurts extra hard when the log files are seeing constant IO. There's not much middle ground between "good enough to be enabled by default" and "should not be enabled by default". If we don't trust it to be correct for the vast majority of users, we shouldn't enable it by default, even if unconfined. The penalties for those few can be pretty steep and that leads to turning off AppArmor entirely rather than just the one profile that's not ready. Thankssignature.asc
Description: PGP signature_______________________________________________ pkg-apparmor-team mailing list pkg-apparmor-t...@lists.alioth.debian.org https://lists.alioth.debian.org/mailman/listinfo/pkg-apparmor-team
--- End Message ---
-- intrigeri