Report from the AppArmor BoF at DebConf18

After a discussion started on debian-devel a year ago, AppArmor has been enabled by default in testing/sid since November 2017 as an experiment. We'll soon need to decide whether Buster ships with AppArmor by default or not. Clément Hermann and yours truly have hosted a BoF at DebConf18 in order to gather both subjective and factual data that can later be used to:

1. draw conclusions from this experiment;
2. identify problems we need to fix.

About 40 people attended this BoF; about half of them to participated actively, which is better than I expected even though I think we can do better.

Opting-in or -out

We started with a show of hands:

• Out of 7 attendees who run Debian Stretch on their main system, 3 have voluntarily enabled AppArmor. course the attendees
• Out of 15 attendees who run Debian testing/sid on their main system, 4 have voluntarily disabled AppArmor.
  → It would be interesting to understand why; if you're in this situation, let's talk!

Sticky notes party

We had a very dynamic collaborative sticky notes party aiming at gathering feeling and ideas, in a way that let us identify which ones were most commonly shared among the attendees.

Process

We asked the participants to write down their answers to the following questions on sticky notes (one idea per post-it):

• How have you felt about your personal AppArmor experience so far?
• How do you feel about the idea of keeping AppArmor enabled by default in the Debian Buster release?

Then we de-duplicated and categorized the resulting big pile of post-its together on a whiteboard. Finally, everyone got the chance to "+1" the four ideas/feelings they shared the most.

Output

If you're curious, here's what the whiteboard contained at the end.

Here are the conclusions I draw from this data:

• A clear majority of the actively participating attendees have a generally positive feeling about AppArmor since it was enabled.
• A clear majority of the actively participating attendees like the idea of keeping it enabled in Debian Buster. This is not very surprising coming from a small crowd of people who were interested enough to attend this BoF, but still.
• Many attendees would like AppArmor to confine more software.
• We need integration tests for AppArmor policy… just like we need integration tests for many other things in Debian.
• We need at the very least better documentation (to explain how to use the existing policy debugging/development tools) and probably better integration in Debian (e.g. reportbug).
• Regarding desktop apps sandboxing, the audience seemed to be split:
  • Those who were lead to believe that AppArmor is, in itself, a great technology to sandbox desktop apps. I think that's a misunderstanding; I know I'm at partly responsible for it and will do my best to fix it.
  • Those who echoed the concerns I had written on post-its myself about this strategy and communication problem.

I will update/file bug reports to reflect these conclusions.

Open discussion

Finally, we had an open discussion, half brainstorming ideas and half "ask me anything about AppArmor". For the curious, I've compiled the notes that were taken by Clément Hermann.

Meta

I want to thank:

• Clément Hermann for co-hosting this session with me;
• all attendees for playing the sticky notes party game — which was probably not what they expected when entering the room — and for their valuable input.

The feedback I got about the sticky notes party format was very positive: a few attendees told me it made them feel more part of the decision making process. Credits are due to Gunner for the inspiration!

If you attended this BoF and want to share your thoughts about how it went, I'm all ears → intrigeri@debian.org :)