Re: [arch-general] AppArmor support
On Sun, Sep 09, 2018 at 06:13:24PM -0400, Eli Schwartz via arch-general wrote: > On 9/9/18 4:00 PM, Leonid Isaev via arch-general wrote: > > FWIW, I actually agree with #59733: CONFIG_AUDIT=n was blocking AppArmor > > adoption... Perhaps relevant: > > https://lists.debian.org/debian-devel/2017/08/msg00090.html . > > > > But I have a question: why was AUDIT enabled in the first place? I thought > > it > > was cosidered useless? > > It is definitely not useless! It's historically been disabled because it > did not have any good way to enable support, but keep it turned off by > default. And having it turned on by default came with mandatory > slowdowns for *all* users. > > Ironically, Spectre has proven to be our friend here -- due to all the > mitigations, there is now no fast path for these system calls, so your > kernel is just as slow whether AUDIT is enabled or not. Therefore, we > ended up simply enabling it. > Good to know. I remember arguments like "audit is primarily necessary for selinux that we don't have... Otherwise it just spams logs". In any case, audit=0 is the way to go for me. Cheers, L. -- Leonid Isaev
Re: [arch-general] AppArmor support
> > From: David Runge > Sent: Sun Sep 09 22:19:37 CEST 2018 > To: , General Discussion about Arch Linux > , Leonid Isaev via arch-general > , > Subject: Re: [arch-general] AppArmor support > > FYI, > I'm currently working on bringing the user space tools to [community], but > the rule sets will require testing and possibly we'll even have to have our > own set shipped with the package. > > I'll let you know asap. > > As a side note: As Eli already pointed out there is no need for personal > attacks because of a discussion on this topic. We'll try to make this ship > sail, but it needs time (and testing). > > Best, > David Do you mean AppArmor user space tools? The AUR package works well with sed rules: https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=apparmor#n49 The next AppArmor userspace tools will have full usrmerge support so above won't be needed: https://gitlab.com/apparmor/apparmor/commit/4200932d8fb31cc3782d96dd8312511e807fd09b Any Arch specific rules should be sent upstream. Yours sincerely G. K.
Re: [arch-general] AppArmor support
On 9/9/18 4:00 PM, Leonid Isaev via arch-general wrote: > FWIW, I actually agree with #59733: CONFIG_AUDIT=n was blocking AppArmor > adoption... Perhaps relevant: > https://lists.debian.org/debian-devel/2017/08/msg00090.html . > > But I have a question: why was AUDIT enabled in the first place? I thought it > was cosidered useless? It is definitely not useless! It's historically been disabled because it did not have any good way to enable support, but keep it turned off by default. And having it turned on by default came with mandatory slowdowns for *all* users. Ironically, Spectre has proven to be our friend here -- due to all the mitigations, there is now no fast path for these system calls, so your kernel is just as slow whether AUDIT is enabled or not. Therefore, we ended up simply enabling it. See https://bugs.archlinux.org/task/42954 for more background. -- Eli Schwartz Bug Wrangler and Trusted User signature.asc Description: OpenPGP digital signature
Re: [arch-general] AppArmor support
But I have a question: why was AUDIT enabled in the first place? I thought it was cosidered useless? AFAIK, it was considered slow (at least for syscalls), but after recent changes in kernel it doesn't matter anymore. You can read discussion here https://bugs.archlinux.org/task/42954
Re: [arch-general] AppArmor support
> > From: Leonid Isaev via arch-general > Sent: Sun Sep 09 22:00:03 CEST 2018 > To: > Cc: Leonid Isaev > Subject: Re: [arch-general] AppArmor support > > > FWIW, I actually agree with #59733: CONFIG_AUDIT=n was blocking AppArmor > adoption... Perhaps relevant: > https://lists.debian.org/debian-devel/2017/08/msg00090.html . > > But I have a question: why was AUDIT enabled in the first place? I thought it > was cosidered useless? > > Cheers, > L. > > -- > Leonid Isaev What do you mean by useless? It works pretty normal. Yours sincerely G. K.
Re: [arch-general] AppArmor support
On Sun, Sep 09, 2018 at 10:19:37PM +0200, David Runge wrote: > FYI, > I'm currently working on bringing the user space tools to [community], but > the rule sets will require testing and possibly we'll even have to have our > own set shipped with the package. > > I'll let you know asap. Thanks and pls take your time. I have a VM that runs linux-hardened and is used to study malicious pdf files. I can test rulesets there... Cheers, L. -- Leonid Isaev
Re: [arch-general] AppArmor support
On 9/9/18, Gus wrote: > Linux-hardened doesn't support hibernation and i think it's overkill to > use it on desktop. Not arguing in anyway for or against AppArmor, just another data point regarding linux-hardened 4.17 and 4.18: I tried linux-hardened on two Intel machines, and it was less stable than "linux". Some of the changes are probably invasive/destabilising, which makes sense seeing how slowly and carefully the mitigations are traveling via Kees Cook into Linus' tree. I didn't have stability issues with the old linux-grsec packages, though to be fair those were also way older major releases which may matter.
Re: [arch-general] AppArmor support
On September 9, 2018 10:00:03 PM GMT+02:00, Leonid Isaev via arch-general wrote: >On Sun, Sep 09, 2018 at 02:53:04PM -0400, Eli Schwartz via arch-general >wrote: >> Heftig retracted his initial willingness to enable apparmor because >he >> did not think it useful enough without the userland tools. It wasn't >> rejected because we hate the idea or consider it not Arch-like... it >was >> rejected because on its own, it could be considered >not-important-enough >> to warrant enabling. > >FWIW, I actually agree with #59733: CONFIG_AUDIT=n was blocking >AppArmor >adoption... Perhaps relevant: >https://lists.debian.org/debian-devel/2017/08/msg00090.html . > >But I have a question: why was AUDIT enabled in the first place? I >thought it >was cosidered useless? > >Cheers, >L. FYI, I'm currently working on bringing the user space tools to [community], but the rule sets will require testing and possibly we'll even have to have our own set shipped with the package. I'll let you know asap. As a side note: As Eli already pointed out there is no need for personal attacks because of a discussion on this topic. We'll try to make this ship sail, but it needs time (and testing). Best, David -- https://sleepmap.de
Re: [arch-general] AppArmor support
On Sun, Sep 09, 2018 at 02:53:04PM -0400, Eli Schwartz via arch-general wrote: > Heftig retracted his initial willingness to enable apparmor because he > did not think it useful enough without the userland tools. It wasn't > rejected because we hate the idea or consider it not Arch-like... it was > rejected because on its own, it could be considered not-important-enough > to warrant enabling. FWIW, I actually agree with #59733: CONFIG_AUDIT=n was blocking AppArmor adoption... Perhaps relevant: https://lists.debian.org/debian-devel/2017/08/msg00090.html . But I have a question: why was AUDIT enabled in the first place? I thought it was cosidered useless? Cheers, L. -- Leonid Isaev
Re: [arch-general] AppArmor support
It was accepted first [1], and then rejected for reasons that doesn't apply fully to AppArmor, and i doesn't hid anything, so stop playing detective. Like Scimmia said "There are better mediums to have this discussion." and for such discussions we have this mailing list, doesn't we? [1] https://git.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/linux&id=c75a915313f72924fa0a3ed45356f9e0ea488f3b On 2018-09-09 18:24, Maksim Fomin via arch-general wrote: ‐‐‐ Original Message ‐‐‐ On Sunday, 9 September 2018 17:34, Gus wrote: > You have been rejected by heftig and tpowa. It is unclear why and what > you are asking here. It was accepted first and then rejected by heftig. Really? Just rejected by heftig? The issue was rejected 4 times, first by heftig than 3 times by Scimmia: 2018-09-03 "A Project Manager has denied the request pending for the following task: FS#59733 - [linux] enable AppArmor & SELinux User who did this - Doug Newgard (Scimmia) Reason for denial: 2018-09-05 "FS#59733 - [linux] enable AppArmor & SELinux User who did this - Doug Newgard (Scimmia) Reason for denial: No new information" "FS#59733 - [linux] enable AppArmor & SELinux User who did this - Doug Newgard (Scimmia) Reason for denial: I'm not going to reopen a ticket for people to make the same argument over and over" "Reason for denial: Stop having a catfight with the bugwranglers because you think, somehow, that people will be less likely to open duplicate bugs just because we provide dialog. There are better mediums to have this discussion." So far, this issue was closed by heftig and then 3 times by bug wrangler. This fact was hidden in the first post to this thread.
Re: [arch-general] AppArmor support
On 9/9/18 2:24 PM, Maksim Fomin via arch-general wrote: > Really? Just rejected by heftig? The issue was rejected 4 times, first by > heftig than 3 times by Scimmia: Please do not try to defend me and Scimmia when in fact we told people to take it to "more appropriate mediums"... like the mailing list, which they did in fact do *as I personally requested*, and which you are now reprimanding them for. Let's be perfectly clear here: There is *nothing* wrong with Gus' attempt at dialog and discussion -- the fact that it was closed more than once has no relevance to this discussion, as Gus tried to explain, and moreover the fact that it was initially accepted *once* then rejected *once* for the reasons clearly referenced in the initial post, is hardly hidden information. I am, however, troubled by your attacks, and consider something to be wrong with that. Heftig retracted his initial willingness to enable apparmor because he did not think it useful enough without the userland tools. It wasn't rejected because we hate the idea or consider it not Arch-like... it was rejected because on its own, it could be considered not-important-enough to warrant enabling. People now want to discuss on the mailing list why it might be worth it nevertheless. There are valid technical arguments to be made here, and so far, the initial poster has been pretty polite about it. Moreover, I agree. Even though I'm not heftig. Thank you for respecting other peoples' right to ask questions. :) -- Eli Schwartz Bug Wrangler and Trusted User signature.asc Description: OpenPGP digital signature
[arch-general] AppArmor support
‐‐‐ Original Message ‐‐‐ On Sunday, 9 September 2018 17:34, Gus wrote: > > You have been rejected by heftig and tpowa. It is unclear why and what > > > you are asking here. > > It was accepted first and then rejected by heftig. Really? Just rejected by heftig? The issue was rejected 4 times, first by heftig than 3 times by Scimmia: 2018-09-03 "A Project Manager has denied the request pending for the following task: FS#59733 - [linux] enable AppArmor & SELinux User who did this - Doug Newgard (Scimmia) Reason for denial: 2018-09-05 "FS#59733 - [linux] enable AppArmor & SELinux User who did this - Doug Newgard (Scimmia) Reason for denial: No new information" "FS#59733 - [linux] enable AppArmor & SELinux User who did this - Doug Newgard (Scimmia) Reason for denial: I'm not going to reopen a ticket for people to make the same argument over and over" "Reason for denial: Stop having a catfight with the bugwranglers because you think, somehow, that people will be less likely to open duplicate bugs just because we provide dialog. There are better mediums to have this discussion." So far, this issue was closed by heftig and then 3 times by bug wrangler. This fact was hidden in the first post to this thread.
Re: [arch-general] AppArmor support
You have been rejected by heftig and tpowa. It is unclear why and what you are asking here. It was accepted first and then rejected by heftig. Suppose AppArmour does not require linking. So what? As heftig wrote, that was main reason for rejecting SELinux and AppArmor support, but since it doesn't apply to AppArmor i see no reason to reject it.
Re: [arch-general] AppArmor support
Linux-hardened doesn't support hibernation and i think it's overkill to use it on desktop. On 2018-09-09 14:04, Filipe Laíns via arch-general wrote: On Sun, 2018-09-09 at 13:42 +, Gus wrote: I know such request was rejected here https://bugs.archlinux.org/task/59733 recently, but still AppArmor doesn't need linking with libraries and doesn't require as much userland support as SELinux, so it will not hurt to have one option enabled in kernel, right? Hey Gus, I'm sorry but I'm not the maintainer :/. You'll need to talk to them again. If you think the closure of the bug was wrong I suggest to send a mail to the mailing list explaining this. Why don't you use linux-hardened instead? It's up-to-date and has both options enabled (AppArmor and SELinux). I feel that it's the biggest issue. We already have a kernel with both options enabled so there's no point on also adding them in the main one, given that those option require a lot of userspace support. Do you have relevant reason why you don't want to use linux-hardened? If so, that would probably change some things. Thanks, Filipe Laíns 3DCE 51D6 0930 EBA4 7858 BA41 46F6 33CB B0EB 4BF2
[arch-general] AppArmor support
‐‐‐ Original Message ‐‐‐ On Sunday, 9 September 2018 13:42, Gus wrote: > I know such request was rejected here > https://bugs.archlinux.org/task/59733 > recently, but still AppArmor doesn't need linking with libraries and > doesn't > require as much userland support as SELinux, so it will not hurt to have > one > option enabled in kernel, right? You have been rejected by heftig and tpowa. It is unclear why and what you are asking here. Suppose AppArmour does not require linking. So what? Btw, you hided the information - this issue was reopened and closed again, so it was reconsidered and was closed twice.
Re: [arch-general] AppArmor support
On Sun, 2018-09-09 at 15:04 +0100, Filipe Laíns via arch-general wrote: > Hey Gus, > > I'm sorry but I'm not the maintainer :/. You'll need to talk to them > again. If you think the closure of the bug was wrong I suggest to > send > a mail to the mailing list explaining this. > > Why don't you use linux-hardened instead? It's up-to-date and has > both > options enabled (AppArmor and SELinux). > > I feel that it's the biggest issue. We already have a kernel with > both > options enabled so there's no point on also adding them in the main > one, given that those option require a lot of userspace support. Do > you > have relevant reason why you don't want to use linux-hardened? If so, > that would probably change some things. > > Thanks, > Filipe Laíns > 3DCE 51D6 0930 EBA4 7858 BA41 46F6 33CB B0EB 4BF2 Hey, Nevermind my reply. The email somehow didn't get moved to my mailing list folder so I thought it was sent to my address directly. Sorry for the confusion. Thanks, Filipe Laíns 3DCE 51D6 0930 EBA4 7858 BA41 46F6 33CB B0EB 4BF2 signature.asc Description: This is a digitally signed message part
Re: [arch-general] AppArmor support
On Sun, 2018-09-09 at 13:42 +, Gus wrote: > I know such request was rejected here > https://bugs.archlinux.org/task/59733 > recently, but still AppArmor doesn't need linking with libraries and > doesn't > require as much userland support as SELinux, so it will not hurt to > have > one > option enabled in kernel, right? Hey Gus, I'm sorry but I'm not the maintainer :/. You'll need to talk to them again. If you think the closure of the bug was wrong I suggest to send a mail to the mailing list explaining this. Why don't you use linux-hardened instead? It's up-to-date and has both options enabled (AppArmor and SELinux). I feel that it's the biggest issue. We already have a kernel with both options enabled so there's no point on also adding them in the main one, given that those option require a lot of userspace support. Do you have relevant reason why you don't want to use linux-hardened? If so, that would probably change some things. Thanks, Filipe Laíns 3DCE 51D6 0930 EBA4 7858 BA41 46F6 33CB B0EB 4BF2 signature.asc Description: This is a digitally signed message part
[arch-general] AppArmor support
I know such request was rejected here https://bugs.archlinux.org/task/59733 recently, but still AppArmor doesn't need linking with libraries and doesn't require as much userland support as SELinux, so it will not hurt to have one option enabled in kernel, right?