Consider preventing changes to the AppArmor policy
Originally created by @Anonymous on #16423 (Redmine)
Regarding : Using rules to avoid modifying profiles at https://tails.boum.org/contribute/design/application_isolation/
This feature is deprecated, however, a new one, available on tails but disabled just do this job
Enabling lock_policy of apparmor protect edit, disable, remove any profile, apparmor cannot be disabled too, the only to reverse this is a reboot.
To enable it, echo “Y” > /sys/module/apparmor/parameters/lock_policy
I tried on apparmor and it work as expected, adding it is simple and add some nice security that go beyond the root access. Next release of apparmor will bring a powerfull feature : https://gitlab.com/apparmor/apparmor/wikis/AppArmorSystemWideRestrictions
I checked the profiles rules, it’s way to permissive, it can definitively be more strict without affecting usage of the appplications
Willing to give a hands