Christian Boltz: > It turned out that the added "network unix dgram/stream" rules are not > really needed. Let me explain ;.-)
> In theory apparmor_parser should downgrade the "unix" rules in > abstractions/base to "network unix" rules (when using Kernel < 4.15), > which allows more than "network unix dgram/stream". > In practise this rule downgrade was broken in apparmor_parser, and got > fixed in AppArmor 2.11.1, 2.10.3 and 2.9.5. > So once you update apparmor_parser to one of these versions, profiles > that include abstractions/base (which basically means all profiles) > should no longer need the "network unix dgram/stream" rules. Great! I'm packaging 2.11.1 as we speak, so I've reverted your patch (that I had previously applied to our packaging bzr repo, but did not upload to Debian yet). Thanks for the heads up! > Note that the patch discussed in this bugreport adds a few other rules - > those will still be needed. Indeed. I want to work on this later this week. Cheers, -- intrigeri