Hi intrigeri, > tl;dr: I hereby propose we enable AppArmor by default in testing/sid, > and decide one year later if we want to keep it this way in the > Buster release.
Thanks for such a comprehensive and compelling write-up :) > * Enable AppArmor on your Debian systems: > https://wiki.debian.org/AppArmor/HowToUse $ sudo aa-status | head -n2 apparmor module is loaded. 49 profiles are loaded. (Well, I should take more risks, right…?) > * If you maintain a package for which we ship AppArmor policy in > Debian: test it with AppArmor enabled before uploading. Related to this, most of my packages are 'server'-ish and it feels like some of the hardening features are also/already covered by my systemd .service files. Should/could I be also reimplementing these in AppArmor for defense in depth or any comments in this general area? Best wishes, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
