More boot modes…? But it could get a bit convoluted. This was as far as it was discussed earlier:
Alright. So for future when apparmor-profile-everything is ready…
- persistent + regular [apparmor-profile-everything]
- persistent + full-root (DANGER!)
- live + regular [apparmor-profile-everything]
- persistent + full-root (DANGER!)
And later if no-root gets implemented…
- persistent + no-root [apparmor-profile-everything]
- persistent + root [apparmor-profile-everything]
- persistent + full-root (DANGER!)
- live + no-root [apparmor-profile-everything]
- live + root [apparmor-profile-everything]
- persistent + full-root (DANGER!)
(Didn’t think much yet about the wording. Open for suggestions. Can be done when time has come.)
Now we have more suggestions which could be different boot modes.
- “read-only root” (no modifications at all) [0]
- No arbitrary apt package installation.
[0] No apt package installation, removal, upgrades. Similar to “read-only root”. Not really “real” read-only root.
I am not sure “no arbitrary package installation” gives us any more flexibility / features than “read-only root”. At the same time “no arbitrary package installation” is probably more difficult to implement than “read-only root”. Or perhaps better called “no APT”.
I don’t know what @madaidan thinks about a “no APT” or “no writing to /etc/ /usr/bin” or “non-admin” boot mode.
Perhaps this is the same as “noroot boot mode”? Perhaps the “noroot boot mode” should have a more restrictive full system apparmor profile?