Bug#883800: Ubuntu stance on disabling apparmor profiles
On Mon, Feb 26, 2018 at 06:43:18PM +0100, Olivier Tilloy wrote:
> Although it wouldn't be a big deal to diverge, it'd be easier if we
> could align on this. What do you think?
I think it's bad.
We had that once (see changelog)
See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=883800
and changed it back to complain.
Cc'ing it.
> <jdstrand> oSoMoN: but, complain mode may be noisy for people who
> don't care about apparmor
> <jdstrand> oSoMoN: so, the idea is, in Ubuntu, if the profile is good
> enough to use in the default install of the package, it is enforce. if
> the profile can't really be turned on by default for *reasons* (eg,
> firefox, libreoffice), ship it disabled
> <jdstrand> oSoMoN: if the profile is installed via some other means
> and is 'in progress', eg, apparmor-profiles, then install in complain
> mode
And the profile here IS in-progress. Or why do we constantly find new
stuff which needs to be fixed? :)
And disabling it would hide it alltogether and bugs like
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887593 wouldn't even
be filed, thus not knowing what to do until it breaks for users as it
happened for your 5.4.5 packages (and our 5.4.3 packages)
There also is still stuff hidden by complain that would break if it's in
enforce.
See e.g.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882597
and
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=884747
In fact, I got a issue like this on my raspberrypi at home (which for
kernel and sanity reasons is buster already and this cupsd is
apprmor-enforced.)
Or
https://cgit.freedesktop.org/libreoffice/core/commit/?id=b13678b1e1d6f4cac548ae7e088b6030c31cf081
wouldn't have been done.
Or... (imagine)
Regards,
Rene
Reply to: