(In reply to Aleksa Sarai from comment #7) > As an aside, the one thing that makes me distrust AppArmor as being useful > as a primary security tool is that when profiles are deleted the constrained > processes become unconstrained and there is no way to re-constrain them > without hijacking them (with ptrace) to set their own profile again. This is > a classic example of "failing-open" and is particularly bad because there is > no reasonable way to re-constrain the processes. This happens very often > with package upgrades, because the AppArmor tooling deletes all profiles not > in /etc/apparmor.d. Do you know if there is any progress to fix this issue? I just found that this was discussed ~6 years ago in bsc#853019. So this is not really a relevant discussion to bring up again here. :D