Page 1 of 1

Good Idea to use AppArmor?

Posted: 03 Oct 2014 11:42
by MatthewLM
Hi, would anyone recommend enabling AppArmor for SolydXK as per the debian how-to: https://wiki.debian.org/AppArmor/HowTo ?

I assume it would work fine but since there is no mention of it on these forums or elsewhere for SolydXK and since AppArmor would have quite a major effect, I was wondering if this is something with SolydXK support?

What disadvantages does AppArmor give? If it enhances system security, why isn't it enabled by default in debian and SolydXK?

Re: Good Idea to use AppArmor?

Posted: 03 Oct 2014 13:37
by kurotsugi
the main drawback is that it's not quite user friendly for average user. especially those early linux adopter which recently move from windows. most of them didn't even know what is it. for these reasons security feature will remain optional. user can enable it but it won't made as default.

Re: Good Idea to use AppArmor?

Posted: 03 Oct 2014 14:43
by MatthewLM
True, but Ubuntu uses it behind the scenes. A typical user never needs to know it's there. Ubuntu enables AppArmor and installs security profiles without user involvement. So if Ubuntu does it, why not Debian/SolydXK?

Re: Good Idea to use AppArmor?

Posted: 03 Oct 2014 15:11
by Zill
MatthewLM wrote:...So if Ubuntu does it, why not Debian/SolydXK?
... Because Debian/SolydXK is not Ubuntu! It would be rather silly having lots of identical distros, all with exactly the same installed packages and functionality. ;-)

AppArmor is in the Debian/SolydXK repos and so all users are free to install and use it if they wish. Choice is good! :-)

Re: Good Idea to use AppArmor?

Posted: 03 Oct 2014 15:14
by MatthewLM
But it's no good doing something differently unless there was a benefit to doing it. There has to be a benefit to not having AppArmor enabled or else why is it disabled? I'm not saying it should be enabled by default, I'm just curious as to why.

Re: Good Idea to use AppArmor?

Posted: 03 Oct 2014 15:33
by Zill
MatthewLM: Linux systems are, unlike other OS's, generally secure by default OOTB for most desktop users. While it is possible for such users to degrade this security, the risks are normally quite low unless the user does something stupid.

However, some Linux users do require a higher level of security, particularly those running public-facing servers and other mission-critical systems. Security hardened versions such as SELinux and other security add-ons such as AppAmor can be used to provide additional security for those who need it.

Installing all this additional security does have a downside in increasing the complexity of the system, making maintenance harder for the sysadmin and increasing the size of the installation and all subsequent upgrades. It may also slow it down. For this reason, it is, IMHO, undesirable to automatically include such bloat that is, for many users, unnecessary.

Linux isn't really about a "one size fits all" approach but rather a bespoke suit that is "made to measure" to fit each user's individual requirements.

Re: Good Idea to use AppArmor?

Posted: 03 Oct 2014 15:40
by MatthewLM
Good answer. I suppose that as long as you keep the system up to date and generally secure AppArmor (or SELinux) is probably overkill for Desktops on Linux.

Re: Good Idea to use AppArmor?

Posted: 03 Oct 2014 16:47
by kurotsugi
in my understanding the reason why ubuntu got benefit from apparmor is because they created an apparmor profile for their packages. it's easy for them because ubuntu is configured for desktop. on the other hand, debian is configured for both server and desktop. there's no such universal apparmor profile for both desktop and server. each need a specific profile. for this reason debian didn't provide an apparmor profile for their package.

the 'how apparmor works' it needs certain profile for the applications to make it work. in that case we can't use 'enable it and the user should not even have to know it' approaching model. enabling apparmor on solydxk might quite easy but without those profiles there's no benefit for doing it.

CMIIW