Bug#880441: linux-image-4.13.0-1-amd64: silently enabled AppArmor breaks other programs

[intrigeri <intrigeri@debian.org>]

Hi,

Ben Hutchings:
> My understanding was that enabling AppArmor shouldn't do very much
> until a policy is loaded (which it won't be if you don't install the
> userland tools).  As you've found, that isn't entirely correct.

Let me clear a potential misunderstanding:

 - It *is* correct that the AppArmor LSM doesn't do very much if no
   policy is loaded, i.e. if the apparmor package is not installed.

 - The only report I've heard of so far of breakage caused by AppArmor
   being enabled in the kernel by default, on systems that have no
   AppArmor policy loaded, is #880490. That bug was not about AppArmor
   denying anything, but about systemd trying to switch to an AppArmor
   profile that was not loaded (precisely because the apparmor package
   was not installed). Thankfully that bug has been fixed very
   quickly. According to codesearch.debian.net it was the only
   instance of this problem. I'm sorry I didn't think of this corner
   case initially.

> Still, I'll bump this back to serious as I don't think we should let
> this into testing yet.

I think this does not apply anymore, now that the "unrelated" breakage
has been fixed, and the reasons behind it clarified. What do
you think?

Cheers,
-- 
intrigeri