Re: Let's enable AppArmor by default (why not?)
- Date: Wed, 09 Aug 2017 09:10:23 -0400
- From: Chris Lamb <lamby@xxxxxxxxxx>
- Subject: Re: Let's enable AppArmor by default (why not?)
> tl;dr: I hereby propose we enable AppArmor by default in testing/sid,
> and decide one year later if we want to keep it this way in the
> Buster release.
Thanks for such a comprehensive and compelling write-up :)
> * Enable AppArmor on your Debian systems:
$ sudo aa-status | head -n2
apparmor module is loaded.
49 profiles are loaded.
(Well, I should take more risks, right…?)
> * If you maintain a package for which we ship AppArmor policy in
> Debian: test it with AppArmor enabled before uploading.
Related to this, most of my packages are 'server'-ish and it feels
like some of the hardening features are also/already covered by my
systemd .service files.
Should/could I be also reimplementing these in AppArmor for defense
in depth or any comments in this general area?
: :' : Chris Lamb
`. `'` lamby@xxxxxxxxxx / chris-lamb.co.uk