[arch-general] AppArmor support
eschwartz at archlinux.org
Sun Sep 9 22:13:24 UTC 2018
On 9/9/18 4:00 PM, Leonid Isaev via arch-general wrote:
> FWIW, I actually agree with #59733: CONFIG_AUDIT=n was blocking AppArmor
> adoption... Perhaps relevant:
> https://lists.debian.org/debian-devel/2017/08/msg00090.html .
> But I have a question: why was AUDIT enabled in the first place? I thought it
> was cosidered useless?
It is definitely not useless! It's historically been disabled because it
did not have any good way to enable support, but keep it turned off by
default. And having it turned on by default came with mandatory
slowdowns for *all* users.
Ironically, Spectre has proven to be our friend here -- due to all the
mitigations, there is now no fast path for these system calls, so your
kernel is just as slow whether AUDIT is enabled or not. Therefore, we
ended up simply enabling it.
See https://bugs.archlinux.org/task/42954 for more background.
Bug Wrangler and Trusted User
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the arch-general