[arch-general] AppArmor support

Michal Soltys soltys at ziu.info
Fri Sep 28 00:28:38 UTC 2018


On 2018-09-10 00:13, Eli Schwartz via arch-general wrote:
> 
> It is definitely not useless! It's historically been disabled because it
> did not have any good way to enable support, but keep it turned off by
> default. And having it turned on by default came with mandatory
> slowdowns for *all* users.
> 
> Ironically, Spectre has proven to be our friend here -- due to all the
> mitigations, there is now no fast path for these system calls, so your
> kernel is just as slow whether AUDIT is enabled or not. Therefore, we
> ended up simply enabling it.
> 

That's not precisely like that - spectre & friends workarounds can be
trivially disabled (e.g.: pti, spectre_v2, spec_store_bypass_disable,
l1tf) - bringing "old" nominal performance back (whether good/bad idea,
that of course depends on what/how you run your linux on for what
purpose). Not mentioning cpus that will eventually come not needing
those workarounds.

So in this context audit=0 is a very viable thing - if one (and that's
probalby crushing majority of users) doesn't need this feature (directly
or indirectly).


More information about the arch-general mailing list