In general, this is a good idea.
Unfortunately, the force-complain symlinks disable the parser cache for
those profiles, which results in longer profile load times and longer
boot times.
Once this is fixed in the parser, I'll happily change the tools to use
force-complain symlinks.
** Also affects: apparmor
Importance: Undecided
Status: New
** Tags added: aa-tools
** Tags added: aa-parser
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1575392
Title:
Use force-complain symlinks instead of hard-coded "complain" flags
Status in AppArmor:
New
Status in apparmor package in Ubuntu:
New
Bug description:
I am using apparmor-profiles in Xenial.
The AppArmor profiles, by default, are set to "complain" mode by way
of "flag=(complain)" directives written into the profiles themselves.
If I want these profiles to be enforced, then I have to edit each one
and manually delete the directives (or use the aa-enforce utility to
perform the same edits for me).
This then results in modified config files, which will give me grief
if and when the profiles are updated. I can accept the inconvenience
of merging if I've made significant changes. But given that all I'm
doing is switching from "complain" to "enforce", and that there is
already a good mechanism for specifying this outside of the profiles
themselves (removing symlinks from the "disable" or "force-complain"
subdirs), this significantly impairs the usability of a security
feature that sorely needs wider adoption.
[tl;dr] Please remove all "complain" flags from the profiles, and
replace them with corresponding symlinks in the "force-complain"
subdirectory.
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1575392/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
