Christian Seiler <christ...@iwakd.de> schrieb: > Another thing to consider: if a profile is too restrictive, but the > part that is too restrictive isn't in the upstream kernel yet, then > things could break if you upgrade the kernel to a newer version from > e.g. backports later on. How would you deal with that kind of > breakage during the lifetime of a stable release?
Agreed, that was pretty much my concern. Ideally the feature set used would also be controlled by the apparmor userspace side. Also, I'm wondering about the status of kernel support which is currently not upstreamed: intrigeri mention that new features are now added to Linux mainline. Was there ever an attempt to upstream those existing patches (e.g. for network socket mediation); was it NACKed by upstream for conceptual problems or was it simply never attempted due to time/resource constraints? Cheers, Moritz