On 2017.11.12 19:14, intrigeri wrote:
Rules that are not supported by the running kernel are ignored even if
they're explicitly listed via the features-file setting. In other
words, features-file caps the feature set, but it doesn't require the
kernel to support all listed features.
Thanks, that's clear.
If there's machine running RC7 and `features-files=` line is
commented out, what that state actually means?
When no pinning is defined, the active feature set is the one of the
running kernel. In this example, you would have all features from
Linux 4.14-rc7 enabled. Note that I recommend using this combination
(recent kernel + no pinning) only for people like us, who want to
discover issues as early as possible, so we can fix them before they
hit Debian users. Enthusiastic users are of course welcome to do the
same if they wish to give a hand: they'll notice issues and report
bugs that we would not notice in other environments (yeah, CI and all
that).
OK so we have now 4.14 released, and when it hits Sid, we will still have older feature set, and we can use our time to
test bleeding-edge AppArmor features to catch any problematic denies, right?
What do you believe would be deadline for enabling 4.14 features (removing
feature set limits / upgrading feature set file)?
Is it possible that Buster could be released with old feature set, or you would consider that a critical failure and
apparmor-by-default should be reverted?
There are quite a few profiles to check (and progress is rather slow on my part), although if feature set pining is
working fine on 4.14, we have still have some time, I guess..?
