> tl;dr: I hereby propose we enable AppArmor by default in testing/sid,
> and decide one year later if we want to keep it this way in the
> Buster release.
Thanks for such a comprehensive and compelling write-up :)
> * Enable AppArmor on your Debian systems:
$ sudo aa-status | head -n2
apparmor module is loaded.
49 profiles are loaded.
(Well, I should take more risks, right…?)
> * If you maintain a package for which we ship AppArmor policy in
> Debian: test it with AppArmor enabled before uploading.
Related to this, most of my packages are 'server'-ish and it feels
like some of the hardening features are also/already covered by my
systemd .service files.
Should/could I be also reimplementing these in AppArmor for defense
in depth or any comments in this general area?
: :' : Chris Lamb
`. `'` la...@debian.org / chris-lamb.co.uk