Commit dfe7aeca authored by Tails developers's avatar Tails developers
Browse files

Update AppArmor and hardening compilation status for Wheezy.

parent 6a468284
......@@ -127,17 +127,17 @@ a snapshot of Debian testing/unstable at a given point of time.
*Ubuntu ships the AppArmor Mandatory Access Control system.*
**Answer**: right. We [[would like|todo/Mandatory_Access_Control]] to
get something similar into Tails, and more generally into Debian. But
don't misread the press releases: AppArmor is enabled for very few
applications in Ubuntu.
get something similar into Tails: that's why we have done a great part
of the work that was needed to add basic AppArmor support in Debian
Wheezy. But don't misread the press releases: AppArmor is enabled for
very few applications in Ubuntu.
*Ubuntu uses compiler hardening options by default.* **Answers**:
right. Ubuntu makes a point here. That's why we have been helping
pushing this into Debian. This is now a release goal for Debian
Wheezy, and being actively worked on. On the other hand, such options
are not the security Grail; while they put the bar a bit higher for
the attacker, there are known ways to workaround them, and exploit the
so-called protected binaries anyway. Given the tendency is that more
and more distribution vendors enable those options, it seems safe to
bet serious attackers take this into account, and design their
exploits accordingly.
right. Ubuntu makes a point here, but this is quite temporary: Debian
Wheezy will ship with many packages compiled with hardening options
too. On the other hand, such options are not the security Grail; while
they put the bar a bit higher for the attacker, there are known ways
to workaround them, and exploit the so-called protected binaries
anyway. Given the tendency is that more and more distribution vendors
enable those options, it seems safe to bet serious attackers take this
into account, and design their exploits accordingly.
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment