(forwarding Seth's reply to the bug report)

--- Begin Message ---
On Tue, Jul 04, 2017 at 09:52:55AM +0200, intrigeri wrote:
> Drawbacks of shipping not-quite-ready-yet profiles (in complain mode)
> in /etc/apparmor.d/:
>  * it's hard to communicate to users the quality of these profiles,
>    and where bugs/improvements shall be submitted; currently we have

Complain-mode profiles can also have significant performance penalties:

- Verbose logging can steal IOPS and keep hard drives from going to sleep.

- Missing 'x' rules can lead to enormous kernel memory use due to
  auto-generated //null- profiles.

- The kernel memory pressure can induce premature swapping which hurts
  extra hard when the log files are seeing constant IO.

There's not much middle ground between "good enough to be enabled by
default" and "should not be enabled by default". If we don't trust it
to be correct for the vast majority of users, we shouldn't enable it by
default, even if unconfined. The penalties for those few can be pretty
steep and that leads to turning off AppArmor entirely rather than just
the one profile that's not ready.


Attachment: signature.asc
Description: PGP signature

pkg-apparmor-team mailing list

--- End Message ---

Reply via email to