On Sat, 05 Aug 2017 at 06:50:00 +0000, Niels Thykier wrote:
> Can we integrate these LSM policies into our testing frameworks (e.g.
> autopkgtests), so we can start having automated tests of even basic
> functionality. Or will that happen "out of the box" if we enable it by
> default (and, possibly, enable it on our test hosts)?
In practice probably only if our test hosts change from being lxc
containers to being full virtual machines, which would be good for
other aspects of test coverage too (flatpak/bubblewrap currently skip
many of their autopkgtests, and so does debootstrap).
AppArmor has some amount of support for being used inside a privileged
lxc container, but it's very new and I'm not sure it's going to be a
particularly accurate representation of what would happen on real
hardware. (One of my colleagues looked at lxc + apparmor recently and
was able to make it work, but not trivially.)