Re: [DNG] Debian Busters latest kernel
Hi Dave, Cc:ing this to the list again, hope you don't mind. Dave Turner writes: > On 29/11/17 11:07, Olaf Meeuwissen wrote: >> Hi Dave, >> >> Dave Turner writes: >> >>> On 27/11/17 21:58, Rowland Penny wrote: Hi, a guy has just asked a question on the samba mailing list about apparmor and Samba, it seems that last week, apparmor became a dependency for the kernel on Buster, because of systemd. Can I take it this dependency will be removed in Beowulf ? >>> What debian gets up to on 'testing' = Buster and 'unstable' = sid can be >>> interesting at times. >>> >>> If that dependency on apparmor is now in Buster I would expect it to be >>> in sid having proved itself as a 'good thing'. >> Not necessarily. Moving from unstable to testing merely means that >> nobody using unstable was annoyed enough by any breakage to file a >> sufficiently severe bug report against the package within the grace >> period (ten days for packages with urgency=low, IIRC). >> >>> Having just checked my sid install there are no signs of apparmor being >>> a dependency for the kernel or for Samba. >> As Adam mentioned, its a Recommends: of the kernel but you may be left >> with a non-booting machine unless you pass an `apparmor=0` to the kernel >> at boot time. > Olaf, > > In which file would I find the line 'apparmor=0' ? > > I did a 'sudo grep -R apparmor' in /bin and /boot and /etc and /sbin. > apparmor is definitely in quite a few places but that line never showed up! That is exactly the problem. It is something *you* have to add if you decide to remove apparmor. You *can* add it interactively at the boot prompt every time you boot, but it would be much better for your sanity to add it in /etc/default/grub (to the GRUB_CMDLINE_LINUX variable) and run `sudo update-grub` to persist that in /boot/grub/grub.cfg. # In principle, the apparmor package's postrm could do this for you (but # it is probably not trivial to get right in all situations). > Interestingly 'sudo grep -R apparmor' run from / crashed my laptop! If you want to grep / recursively, there is no point in deferencing symlinks as you'll get to process where they point to anyway ;-) A -r should suffice. That said, you probably do *not* want to grep your virtual file systems, devices, sockets and all of memory. So you'd be better of doing something like sudo grep -r -D skip apparmor $(ls / | sed '/dev/d; /proc/d; /run/d; \ /sys/d; /tmp/d') Feel free to adjust the sed expression to your systems idiosyncracies but this should cover the most common cases. You might want to add /media and /mnt as these are normally used for temporary content. Hope this helps, -- Olaf Meeuwissen, LPIC-2FSF Associate Member since 2004-01-27 GnuPG key: F84A2DD9/B3C0 2F47 EA19 64F4 9F13 F43E B8A4 A88A F84A 2DD9 Support Free Softwarehttps://my.fsf.org/donate Join the Free Software Foundation https://my.fsf.org/join ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Debian Busters latest kernel
Hi Dave, Dave Turner writes: > On 27/11/17 21:58, Rowland Penny wrote: >> Hi, a guy has just asked a question on the samba mailing list about >> apparmor and Samba, it seems that last week, apparmor became a >> dependency for the kernel on Buster, because of systemd. >> >> Can I take it this dependency will be removed in Beowulf ? > > What debian gets up to on 'testing' = Buster and 'unstable' = sid can be > interesting at times. > > If that dependency on apparmor is now in Buster I would expect it to be > in sid having proved itself as a 'good thing'. Not necessarily. Moving from unstable to testing merely means that nobody using unstable was annoyed enough by any breakage to file a sufficiently severe bug report against the package within the grace period (ten days for packages with urgency=low, IIRC). > Having just checked my sid install there are no signs of apparmor being > a dependency for the kernel or for Samba. As Adam mentioned, its a Recommends: of the kernel but you may be left with a non-booting machine unless you pass an `apparmor=0` to the kernel at boot time. Hope this helps, -- Olaf Meeuwissen, LPIC-2FSF Associate Member since 2004-01-27 GnuPG key: F84A2DD9/B3C0 2F47 EA19 64F4 9F13 F43E B8A4 A88A F84A 2DD9 Support Free Softwarehttps://my.fsf.org/donate Join the Free Software Foundation https://my.fsf.org/join ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Debian Busters latest kernel
On Mon, Nov 27, 2017 at 09:58:40PM +, Rowland Penny wrote: > > Hi, a guy has just asked a question on the samba mailing list about > apparmor and Samba, it seems that last week, apparmor became a > dependency for the kernel on Buster, because of systemd. Uhh, it's no dependency, merely a Recommends:. You're free to drop it, although in which case you need to boot with apparmor=0. > Can I take it this dependency will be removed in Beowulf ? It looks like apparmor causes some problems, but like many security hardening measures, it might or might not be worth it in the end. That's why the announcement says it will be reevaluated before Buster's freeze. Apparmor guys tested it for a long time as non-default, and only then pushed as the default for wider testing. If you don't want to help them by reporting issues, just disable it (apparmor=0 or build a kernel that doesn't load apparmor by default). I have enough on my plate so I opted out this way, too! But testing by people who run Devuan is especially valuable: you're more likely to find bugs that trigger when running without systemd. And bugs are easy to fix before the release... Enabling any LSM by default has such problems. I for one want to block '\n' and bytes 1-31,127 in file names as IMHO they have no legitimate use but cause problems, including security ones. A simple patch to ban them was NACKed and I was told to re-do this as a LSM. Which I'm going to do, and once tested, I'll harass Debian's kernel maintainers to enable by default. Thus, feel forewarned if you value your freedom to have \n in file names by default. Meow! -- ⢀⣴⠾⠻⢶⣦⠀ Mozilla's Hippocritical Oath: "Keep trackers off your trail" ⣾⠁⢰⠒⠀⣿⡁ blah blah evading "tracking technology" blah blah ⢿⡄⠘⠷⠚⠋⠀ "https://click.e.mozilla.org/?qs=e7bb0dcf14b1013fca3820...; ⠈⠳⣄ (same for all links) ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] Debian Busters latest kernel
Hi, a guy has just asked a question on the samba mailing list about apparmor and Samba, it seems that last week, apparmor became a dependency for the kernel on Buster, because of systemd. Can I take it this dependency will be removed in Beowulf ? Rowland ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng