I know that no one (yet) suggested removal of flag=(complain) but thought I'd mention that Ubuntu Core is currently using it in support of --devmode. It's totally fine with me to update aa-complain to use the symlink, but I request that the parser continue to support flag=(complain) for the time being (Ubuntu Core could adjust if needed, but we'd need coordination).
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1575392 Title: Use force-complain symlinks instead of hard-coded "complain" flags Status in AppArmor: New Status in apparmor package in Ubuntu: New Bug description: I am using apparmor-profiles in Xenial. The AppArmor profiles, by default, are set to "complain" mode by way of "flag=(complain)" directives written into the profiles themselves. If I want these profiles to be enforced, then I have to edit each one and manually delete the directives (or use the aa-enforce utility to perform the same edits for me). This then results in modified config files, which will give me grief if and when the profiles are updated. I can accept the inconvenience of merging if I've made significant changes. But given that all I'm doing is switching from "complain" to "enforce", and that there is already a good mechanism for specifying this outside of the profiles themselves (removing symlinks from the "disable" or "force-complain" subdirs), this significantly impairs the usability of a security feature that sorely needs wider adoption. [tl;dr] Please remove all "complain" flags from the profiles, and replace them with corresponding symlinks in the "force-complain" subdirectory. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1575392/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
