https://bugzilla.novell.com/show_bug.cgi?id=724829 https://bugzilla.novell.com/show_bug.cgi?id=724829#c5 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |security-team@suse.de --- Comment #5 from Christian Boltz <suse-beta@cboltz.de> 2011-11-14 21:58:32 CET --- (In reply to comment #4)
If $FOO would be helpful when $CONDITION is met, we should wait for $CONDITION to happen. Enabling by default means maintaining it,
guess what I'm doing since some months ;-) and I'm also well-known on the upstream mailinglist since years - money quote (from february 2007): ----------
"Quite low" is 1 in 4 billion. Murphy could make me believe you saw it once, but not twice. You could plausibly see it in a stress test rig This _is_ Christian :) he has a knack for finding bugs no one else can.. [> Crispin Cowan and Seth Arnold in apparmor-general]
means updating profiles once application behavior changes. This usually includes bug reports of 'broken' apps first.
I'm using AppArmor on my systems (desktop + some web/mail servers) myself, so there are good chances that I notice it quite fast if a profile needs to be updated.
Maybe the majority of confined services don't change that much, but I would like to see a real assessment of AppArmor before we pretend it adds any value.
Understandable, even if I wonder why nobody asked in the last years ;-) AppArmor is included (and was enabled) since how many years now?
Even if we have some profiles, are we really sure they actually do what they're supposed to do (i.e. catch all security-relevant cases) or is this just a it-feels-safer (tm) solution?
Show me something that makes a system 100% safe, please ;-) If you had written "catch _nearly_ all security-relevant cases", I'd say yes. Upstream is very picky before accepting profile patches (and ask why a change/additional permission is needed if it isn't obvious), therefore I'm sure the profiles don't allow more than they should allow.
Has it been proven that AppArmor itself isn't subject to security issues? Are
The only issue I'm aware of is bug 717209 (fixed in 12.1 by newer upstream kernel), but the impact is very limited - it crashes the current task (which is obviously misbehaving when writing garbage to /proc, so you could even call it a feature ;-)) and triggers a crash dump (if enabled).
there reported cases where it really defeated a security breach?
Counter-question: are there reported cases where your firewall really defeated a security breach? (In theory all applications/daemons are secure, so why would you need a firewall?) The "problem" with such questions is that you will get the answer _after_ something went wrong. Security tools are like a fire insurance - hopefully you'll never need it, but if you don't have one and your house burns down, you'll have a really big problem... Back to the original question: That's something the security team can probably answer better. I'll needinfo them... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.