1. 17 Jan, 2018 1 commit
  2. 06 Jan, 2018 1 commit
    • intrigeri's avatar
      Pin the AppArmor feature set to the Stretch's kernel one. · 13722c56
      intrigeri authored
      Linux 4.14 brings new AppArmor mediation features and the policy shipped in
      Stretch may not be ready for it. So let's disable these new features to avoid
      breaking stuff: it's too hard to check if all the policy for apps we ship (and
      that users install themselves) has the right rules to cope with these new
      mediation features.
      
      This feature set file will be:
      
       - either removed: once we install an apparmor package that ships its own,
         maintained elsewhere, feature set (probably via Debian#879585);
      
       - or upgraded: to the Buster kernel's, when we move to Buster, iff.
         Debian does not ship any pinned feature set then (refs: #15149).
      
      This commit ports to our build system the changes that are in Buster/sid
      currently, except we include the Stretch's kernel feature set while Buster/sid
      is pinned to Linux 4.14's feature set (the policy in Buster/sid was updated to
      support it). This is exactly what will likely land in the next Debian Stretch
      point release. I'm using a different filename from the one used on Debian, in
      order to make it easier to compare the "upstream" (Debian) file with ours.
      And while I'm at it I'm adding a build-time sanity check that will warn us if
      there's some maintenance work to do on our side.
      13722c56