[arch-general] AppArmor support
Leonid Isaev
leonid.isaev at jila.colorado.edu
Sun Sep 9 22:45:34 UTC 2018
On Sun, Sep 09, 2018 at 06:13:24PM -0400, Eli Schwartz via arch-general wrote:
> On 9/9/18 4:00 PM, Leonid Isaev via arch-general wrote:
> > FWIW, I actually agree with #59733: CONFIG_AUDIT=n was blocking AppArmor
> > adoption... Perhaps relevant:
> > https://lists.debian.org/debian-devel/2017/08/msg00090.html .
> >
> > But I have a question: why was AUDIT enabled in the first place? I thought it
> > was cosidered useless?
>
> It is definitely not useless! It's historically been disabled because it
> did not have any good way to enable support, but keep it turned off by
> default. And having it turned on by default came with mandatory
> slowdowns for *all* users.
>
> Ironically, Spectre has proven to be our friend here -- due to all the
> mitigations, there is now no fast path for these system calls, so your
> kernel is just as slow whether AUDIT is enabled or not. Therefore, we
> ended up simply enabling it.
>
Good to know. I remember arguments like "audit is primarily necessary for
selinux that we don't have... Otherwise it just spams logs". In any case,
audit=0 is the way to go for me.
Cheers,
L.
--
Leonid Isaev
More information about the arch-general
mailing list