On Mon, 2017-10-23 at 10:06 +0200, intrig...@debian.org wrote: > Package: apparmor > Version: 2.11.0-11 > Severity: normal > X-Debbugs-Cc: Ben Hutchings <b...@debian.org> > > Hi, > > we're discussing whether to enable AppArmor by default during the > Buster cycle, but we have no actual plan wrt. how to do it. > There are several options: > > A. Make AppArmor the default LSM in the kernel > > i.e. set CONFIG_DEFAULT_SECURITY="apparmor" > and CONFIG_DEFAULT_SECURITY_APPARMOR=y. [...] > B. Configure bootloaders to enable AppArmor by default > > On https://bugs.debian.org/702030 a nice & flexible solution was > designed; let's call it B.1. [...] > A short-term simpler option would be to drop a file in > /etc/default/grub.d/ [...] Let's call this option B.2. [...] > C. Anything else? > > My personal preference is A > B.1. Ben & others, what do you think?
I agree. We really should have a common way to append things to the kernel command line, which would allow a more general B.2, but this shouldn't have to wait for that. Ben. -- Ben Hutchings The most exhausting thing in life is being insincere. - Anne Morrow Lindberg
signature.asc
Description: This is a digitally signed message part