Update goals for Buster.
"Enabling AppArmor by default?": update status & pointers.
|Deletions are marked like this.||Additions are marked like this.|
|Line 17:||Line 17:|
| * XXX: link to discussion on debian-devel started during DebConf17
* DebianBug:702030 for a GRUB-based approach that has value even if AppArmor is not enabled default, and also could be a way to enable it by default at least on new installations
* We could also enable AppArmor directly in the kernel with `CONFIG_DEFAULT_SECURITY="apparmor"` and `CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1`
| * a discussion [[https://lists.debian.org/debian-devel/2017/08/msg00090.html|was started]] on debian-devel during DebConf17
* for our short/mid-term options, see DebianBug:879590
* for a more far-fetched long-term option, see DebianBug:702030: a GRUB-based approach that has value even if AppArmor is not enabled default, and also could be a way to enable it by default at least on new installations
|/Contribute /ContributeUpstream /Debug /HowTo /HowToUse /OutReachyRound9 /PackageMaintainers /Progress /Reportbug /Testing /UserStories|
This page tracks progress of adding AppArmor profiles to Debian.
- In progress
- To be done
- Done (for Buster, at least)
- OutreachProgram Round 9
For Buster, we'd like to enable AppArmor by default and improve the workflow for cross-distro collaborative profiles maintenance.
Enabling AppArmor by default?
We are discussing and researching if/how AppArmor should be enabled by default on Debian:
for our short/mid-term options, see 879590
for a more far-fetched long-term option, see 702030: a GRUB-based approach that has value even if AppArmor is not enabled default, and also could be a way to enable it by default at least on new installations
Profiles being worked on
Pending maintainer upload
Pending upload of apparmor-profiles-extra
Wishlist bug filed
See the bugs tagged "new-profile".
bugs.debian.org: Enable push/pull notifications for usertags 776587
To be done
Supported profiles in Ubuntu main => import into apparmor-profiles-extra, unless the respective maintainers want to take it into their package. Maybe start with the high-profile services like Apache, OpenLDAP.
Help get more profiles into good shape, so that they can be integrated upstream or into apparmor-profiles-extra. The Ubuntu security team roadmap tells a bit about their priority, and the current status of profiles under development.
Done (for Buster, at least)
Included in the corresponding package
Note: this list is partial and somewhat outdated, i.e. the actual situation is better
Included in the apparmor-profiles package
Included in the apparmor-profiles-extra package
See the current list of profiles in Git.