Public bug reported:
I am using apparmor-profiles in Xenial.
The AppArmor profiles, by default, are set to "complain" mode by way of
"flag=(complain)" directives written into the profiles themselves.
If I want these profiles to be enforced, then I have to edit each one
and manually delete the directives (or use the aa-enforce utility to
perform the same edits for me).
This then results in modified config files, which will give me grief if
and when the profiles are updated. I can accept the inconvenience of
merging if I've made significant changes. But given that all I'm doing
is switching from "complain" to "enforce", and that there is already a
good mechanism for specifying this outside of the profiles themselves
(removing symlinks from the "disable" or "force-complain" subdirs), this
significantly impairs the usability of a security feature that sorely
needs wider adoption.
[tl;dr] Please remove all "complain" flags from the profiles, and
replace them with corresponding symlinks in the "force-complain"
subdirectory.
** Affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1575392
Title:
Use force-complain symlinks instead of hard-coded "complain" flags
Status in apparmor package in Ubuntu:
New
Bug description:
I am using apparmor-profiles in Xenial.
The AppArmor profiles, by default, are set to "complain" mode by way
of "flag=(complain)" directives written into the profiles themselves.
If I want these profiles to be enforced, then I have to edit each one
and manually delete the directives (or use the aa-enforce utility to
perform the same edits for me).
This then results in modified config files, which will give me grief
if and when the profiles are updated. I can accept the inconvenience
of merging if I've made significant changes. But given that all I'm
doing is switching from "complain" to "enforce", and that there is
already a good mechanism for specifying this outside of the profiles
themselves (removing symlinks from the "disable" or "force-complain"
subdirs), this significantly impairs the usability of a security
feature that sorely needs wider adoption.
[tl;dr] Please remove all "complain" flags from the profiles, and
replace them with corresponding symlinks in the "force-complain"
subdirectory.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1575392/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
