Skip to content
  • intrigeri's avatar
    Pin the AppArmor feature set to the Stretch's kernel one. · 13722c56
    intrigeri authored
    Linux 4.14 brings new AppArmor mediation features and the policy shipped in
    Stretch may not be ready for it. So let's disable these new features to avoid
    breaking stuff: it's too hard to check if all the policy for apps we ship (and
    that users install themselves) has the right rules to cope with these new
    mediation features.
    
    This feature set file will be:
    
     - either removed: once we install an apparmor package that ships its own,
       maintained elsewhere, feature set (probably via Debian#879585);
    
     - or upgraded: to the Buster kernel's, when we move to Buster, iff.
       Debian does not ship any pinned feature set then (refs: #15149).
    
    This commit ports to our build system the changes that are in Buster/sid
    currently, except we include the Stretch's kernel feature set while Buster/sid
    is pinned to Linux 4.14's feature set (the policy in Buster/sid was updated to
    support it). This is exactly what will likely land in the next Debian Stretch
    point release. I'm using a different filename from the one used on Debian, in
    order to make it easier to compare the "upstream" (Debian) file with ours.
    And while I'm at it I'm adding a build-time sanity check that will warn us if
    there's some maintenance work to do on our side.
    13722c56