Re: Let's enable AppArmor by default (why not?)
> I'd expect that a lot of the AppArmor profiles currently in use are
> coming from Ubuntu or OpenSUSE.
Yes, historically (most of them are now maintained via a cross-distro
collaborative effort that a few Debian people participate in).
> If one of those profiles relies on features which are not upstreamed
> on the kernel end, how's that handled?
Rules that are not supported by the running kernel are silently
ignored, i.e. the operation is allowed.
For example, the profile for ping(8) specifies:
network inet raw,
network inet6 raw,
In Ubuntu, and in Debian once network socket mediation support lands
in Linux mainline, this means "no socket(2) based operation is allowed
except inet and inet6 raw sockets". In current Debian, no network
mediation by AppArmor is available so all socket(2) based operations
* the same profile can be shared between distros, regardless of
whether they apply not-upstreamed-yet AppArmor kernel patches;
* once new AppArmor features land in Linux mainline, we automatically
benefit from stronger confinement that's already implemented in our