Re: Let's enable AppArmor by default (why not?)
- Date: Mon, 7 Aug 2017 11:59:00 +0200
- From: Moritz Mühlenhoff <jmm@xxxxxxxxxx>
- Subject: Re: Let's enable AppArmor by default (why not?)
Christian Seiler <christian@xxxxxxxx> schrieb:
> Another thing to consider: if a profile is too restrictive, but the
> part that is too restrictive isn't in the upstream kernel yet, then
> things could break if you upgrade the kernel to a newer version from
> e.g. backports later on. How would you deal with that kind of
> breakage during the lifetime of a stable release?
Agreed, that was pretty much my concern. Ideally the feature set
used would also be controlled by the apparmor userspace side.
Also, I'm wondering about the status of kernel support which is
currently not upstreamed: intrigeri mention that new features are
now added to Linux mainline. Was there ever an attempt to upstream
those existing patches (e.g. for network socket mediation); was it
NACKed by upstream for conceptual problems or was it simply never
attempted due to time/resource constraints?