On Tue, Mar 30, 2021 at 11:41:25PM +0530, Murali Selvaraj wrote: > -> As we know that code has been merged/updated continuously (day to > day) on the particular process, Do we have any mechanism to ensure how > the Apparmor profile aligns with the latest process/image?
Be sure your continuous integration tests cover everything the product does, and make adding tests a condition of merging new code into the tree. Look for DENIED entries in the logs, and fail the tests if there are new denials. Also, make it very easy for developers to run the full test suite themselves on realistic deployment systems -- so they'll be in a position to spot these problems before they even prepare merge requests. > -> What is your thought on using embedded device head-set? Depending upon what you're offering, it might make sense to investigate compiling the profiles before deploying them to the devices. (--features-file from the apparmor_parser(8) manpage may be helpful.) Thanks
signature.asc
Description: PGP signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
