Comment # 4 on bug 506704 from 
Sorry, this bug was mis-assigned years ago and then lost/ignored :-(

On the positive side - at least parts of your idea can easily be implemented
nowadays. You can specify   AppArmorProfile=...   in a *.service file. Systemd
will then enforce usage of that profile, and refuse to start the service if the
profile isn't loaded.

In theory you can also keep the network down this way by enforcing a
(to-be-created) profile on wickedd and wickedd-*.

You can easily add   AppArmorProfile=...   on your system by creating a plug-in
sniplet for your *.service files as
/etc/systemd/system/whatever.service.d/*.conf, which means you can keep the
official *.service files and only have to maintain the plug-in yourself.
Nowadays there's even   systemctl edit whatever.service   which will
automatically create such a plug-in file.


I'm not sure if we want to ship *.service files that enforce AppArmor by
default - while I personally like the idea, it would also make disabling
AppArmor too hard.

Oh, BTW: The Ubuntu people are working hard on upstreaming all the AppArmor
features, and they hope to have everything (including the "new" features only
Ubuntu shipped for some years) in upstream kernel 4.14.


If you have an idea how we can implement this in a way that makes everybody
happy (including those who for whatever reason want to disable AppArmor),
please tell me ;-)

You are receiving this mail because: