[apparmor] Apparmor on Embedded devies.
Seth Arnold
seth.arnold at canonical.com
Tue Mar 30 21:13:41 UTC 2021
On Tue, Mar 30, 2021 at 11:41:25PM +0530, Murali Selvaraj wrote:
> -> As we know that code has been merged/updated continuously (day to
> day) on the particular process, Do we have any mechanism to ensure how
> the Apparmor profile aligns with the latest process/image?
Be sure your continuous integration tests cover everything the product
does, and make adding tests a condition of merging new code into the
tree. Look for DENIED entries in the logs, and fail the tests if there are
new denials.
Also, make it very easy for developers to run the full test suite
themselves on realistic deployment systems -- so they'll be in a position
to spot these problems before they even prepare merge requests.
> -> What is your thought on using embedded device head-set?
Depending upon what you're offering, it might make sense to investigate
compiling the profiles before deploying them to the devices.
(--features-file from the apparmor_parser(8) manpage may be helpful.)
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20210330/c033da8a/attachment.sig>
More information about the AppArmor
mailing list