"Enabling AppArmor by default?": update status & pointers.
|Deletions are marked like this.||Additions are marked like this.|
|Line 31:||Line 31:|
|* Reportbug should say if AppArmor (or any other LSM) is activated, filed as DebianBug:773346|
|/Contribute /ContributeUpstream /Debug /HowTo /HowToUse /OutReachyRound9 /PackageMaintainers /Progress /Reportbug /Testing /UserStories|
This page tracks progress of adding AppArmor profiles to Debian.
- In progress
- To be done
- Done (for Buster, at least)
- OutreachProgram Round 9
For Buster, we'd like to enable AppArmor by default and improve the workflow for cross-distro collaborative profiles maintenance.
Enabling AppArmor by default?
We are discussing and researching if/how AppArmor should be enabled by default on Debian:
for our short/mid-term options, see 879590
for a more far-fetched long-term option, see 702030: a GRUB-based approach that has value even if AppArmor is not enabled default, and also could be a way to enable it by default at least on new installations
Profiles being worked on
Pending maintainer upload
Pending upload of apparmor-profiles-extra
Wishlist bug filed
See the bugs tagged "new-profile".
bugs.debian.org: Enable push/pull notifications for usertags 776587
To be done
Supported profiles in Ubuntu main => import into apparmor-profiles-extra, unless the respective maintainers want to take it into their package. Maybe start with the high-profile services like Apache, OpenLDAP.
Help get more profiles into good shape, so that they can be integrated upstream or into apparmor-profiles-extra. The Ubuntu security team roadmap tells a bit about their priority, and the current status of profiles under development.
Done (for Buster, at least)
Included in the corresponding package
Note: this list is partial and somewhat outdated, i.e. the actual situation is better
Included in the apparmor-profiles package
Included in the apparmor-profiles-extra package
See the current list of profiles in Git.