On 2017-12-06 12:24, Laurent Bigonville wrote:
I feel that having Apparmor running and not doing anything will give people a false sense of security, on my test machine almost nothing was confined
Yeah, we really need much more working profiles ready to be shipped... Thoguh I believe our AppArmor maintainer stated opinion that we should fix what's already available, instead of rushing to write bunch of new profiles (please correct me if I mistaken, intrigeri :-) ).
As a hint, try running "sudo aa-enforce /etc/apparmor.d/*", it might enable some disabled-by-defaut profiles, as Thunderbird and Libreoffice ones.
TBH I'm a bit disappointed with upstream state of Apparmor (no D-Bus mediation,...) and other missing features that are still ubuntu only.
Yes I miss features too (not only mediation...). Though Signal and Mount mediation is available in 4.14 (not enabled in Debian AppArmor configuration _yet_, until it's tested enough), Network might come in 4.16.
