Crispin responds to allegations that AppArmor is dying

A recent post from Russ Coker entitled AppArmor is Dead was tolling the death bells for AppArmor because SUSE decided to include SELinux in their operating system… not as the default, and not as a replacement for AppArmor, but it was included nonetheless. Russ determined that this was the beginning of the end for AppArmor, and I read it with some interest largely because Mandriva has settled on AppArmor as our security solution… largely because it fits with our ideal of making things nice and easy for our users. So of course, a post that seems to bring doom and gloom about our security solution is something we’re interested in reading about because if it’s true, then we’ve invested time and effort into the wrong solution.

I read it and thought it had some interesting points, but I didn’t think they were overly valid and it didn’t concern me too much. Yeah, it all seems indicative of the demise of AppArmor (the entire AppArmor team being laid off, the inclusion of SELinux in future products, etc), but there is no real indication that AppArmor is being discontinued or killed off as a result.

Anyways, Crispin wrote a blog entry responding to it yesterday, entitled Go Ahead, Make My Day. Essentially he indicates that there is a bit of paranoia associated with Russ’ post in the conclusion he draws about AppArmor’s demise. Of course, Crispin works for Microsoft now and he makes a valid point. If AppArmor is dying, and since Crispin is working for Microsoft to improve the security mechanisms in Windows’ products, then his job is made easier (thus the title). If Windows security has to compete with the complexity of SELinux, then he indicates his job is all that much easier because all he has to do is make Windows security “easier and more effective to deploy than SELinux”.

Unfortunately, he makes a good point. If SELinux is the “standard”, then security mechanisms that are both easier to use and easier to deploy will become more popular and will just add fuel to the “Linux is harder than Windows” argument. I disagree with that argument… personally, I find Linux easier and Windows more frustrating. But if Windows comes out with something as effective and easy to use as AppArmor, and AppArmor is dead and we’re all using SELinux, when people wake up and realize that good security doesn’t necessarily mean all the complexities of SELinux and similar systems are a necessity, then the argument would be true: Linux would indeed be harder to use than Windows simply due to the (what I believe will soon become a necessity for anyone using a computer) inherent security designs in a user’s chosen operating system.

In other words, while Russ may be right (after all, I don’t work for Novell so I can’t lay something like this to rest, I can only speculate, as can Russ and also Crispin), I sincerely hope he’s wrong. SELinux may be a fantastic system for those who use it, but for those of us who don’t require military-grade security, AppArmor does a very nice job thank-you-very-much of keeping our systems safe.

9 comments for “Crispin responds to allegations that AppArmor is dying

  1. September 3, 2008 at 11:44 am

    Luckily, AppArmor is Free Software, correct? If so I would bet there are interested parties in keeping it running, although you may have to fork it under a new name. If is isn’t Free Software, I don’t think Mandriva would have used it (or shame on you) :)

    I’ve never used either much (some SELinux at work) but it is always nice to have options. I don’t care what MS is building, I wouldn’t trust their systems to secure my data ever.

  2. September 3, 2008 at 11:59 am

    Yes, it’s free software, of course, otherwise we wouldn’t use it. =)

    No, and I wouldn’t trust Windows security either. But, having said that, if there is a perception that Windows security (in a future version, obviously) is adequate and easier than something on Linux (assuming for a moment that SELinux becomes a defacto standard in it’s current incarnation of complexity), then there is a worrying problem.

  3. proyvind
    September 3, 2008 at 4:54 pm

    Maybe Mandriva should employ someone to work on apparmor?
    With finally non-red numbers indicated for the next quarter, it might not be totally unrealistic. :)

  4. September 3, 2008 at 4:56 pm

    I’d be all for it (as long as it’s not me, mind you!). I don’t know if that would be something on the radar or not (I’m sure they feel there are more important areas that could use some financial support), but it sure would be a nice idea. =)

  5. August 25, 2009 at 3:12 pm

    …almost 1 year later AppArmor still looks as dead as before.. :)

  6. August 25, 2009 at 8:07 pm

    hehe.. yeah.. unfortunately, I still know AppArmor better than I do SELinux… I really need to take some time to learn the in’s and out’s of SELinux one of these days.

  7. August 26, 2009 at 6:44 am

    Now we have tomoyo too, and it is in main kernel also.

    It is quite similar to apparmor. Its only drawback is that it does not provides readily-available profiles for applications, but this is something I am trying to do with tomoyo-gui (http://dodonov.net/blog/2009/07/10/more-tomoyo-and-msec-news/).