This page tracks progress of adding AppArmor profiles to Debian.
Goals
- improve the workflow for cross-distro collaborative profiles maintenance
In progress
Profiles being worked on
Pending maintainer upload
Pending upload of apparmor-profiles-extra
Wishlist bug filed
See the bugs tagged "new-profile".
bugs.debian.org: Enable push/pull notifications for usertags 776587
To be done
Supported profiles in Ubuntu main => import into apparmor-profiles-extra, unless the respective maintainers want to take it into their package. Maybe start with the high-profile services like Apache, OpenLDAP.
Help get more profiles into good shape, so that they can be integrated upstream or into apparmor-profiles-extra. The Ubuntu security team roadmap tells a bit about their priority, and the current status of profiles under development.
Done (for Buster, at least)
Enabling AppArmor by default
Since Debian 10 (Buster), AppArmor is enabled by default.
For historical information, see:
a discussion was started on debian-devel during DebConf17
for our short/mid-term options, see 879590
for a more far-fetched long-term option, see 702030: a GRUB-based approach that has value even if AppArmor is not enabled default, and also could be a way to enable it by default at least on new installations
Included in the corresponding package
Note: this list is partial and somewhat outdated, i.e. the actual situation is better
mysql-5.5
Included in the apparmor-profiles package
The Community supported profiles are included in the apparmor-profiles package in complain mode.
Included in the apparmor-profiles-extra package
See the current list of profiles in Git.