Differences between revisions 166 and 167
Revision 166 as of 2017-08-05 13:24:55
Size: 3230
Editor: ?IntRigeri
Comment: Update goals for Buster.
Revision 167 as of 2017-10-26 14:40:41
Size: 3238
Editor: ?IntRigeri
Comment: "Enabling AppArmor by default?": update status & pointers.
Deletions are marked like this. Additions are marked like this.
Line 17: Line 17:
 * XXX: link to discussion on debian-devel started during DebConf17
 * DebianBug:702030 for a GRUB-based approach that has value even if AppArmor is not enabled default, and also could be a way to enable it by default at least on new installations
 * We could also enable AppArmor directly in the kernel with `CONFIG_DEFAULT_SECURITY="apparmor"` and `CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1`
 * a discussion [[https://lists.debian.org/debian-devel/2017/08/msg00090.html|was started]] on debian-devel during DebConf17
 * for our short/mid-term options, see DebianBug:879590
 * for a more far-fetched long-term option, see
DebianBug:702030: a GRUB-based approach that has value even if AppArmor is not enabled default, and also could be a way to enable it by default at least on new installations


This page tracks progress of adding AppArmor profiles to Debian.

Goals

For Buster, we'd like to enable AppArmor by default and improve the workflow for cross-distro collaborative profiles maintenance.

In progress

Enabling AppArmor by default?

We are discussing and researching if/how AppArmor should be enabled by default on Debian:

  • a discussion was started on debian-devel during ?DebConf17

  • for our short/mid-term options, see 879590

  • for a more far-fetched long-term option, see 702030: a GRUB-based approach that has value even if AppArmor is not enabled default, and also could be a way to enable it by default at least on new installations

Profiles being worked on

Pending maintainer upload

Pending upload of apparmor-profiles-extra

Wishlist bug filed

To be done

Done (for Buster, at least)

Included in the corresponding package

Note: this list is partial and somewhat outdated, i.e. the actual situation is better :)

Included in the apparmor-profiles package

The Community supported profiles are included in the apparmor-profiles package in complain mode.

Included in the apparmor-profiles-extra package

See the current list of profiles in Git.

OutreachProgram Round 9

See AppArmor/OutReachyRound9.