Note:
- The above git commits only abolish need for the user to run the Installation steps.
- The Enabling part is not implemented by default for all AppArmor profiles.
In other words… This results in some AppArmor profiles enabled by default. These are:
- Those AppArmor profiles by the Debian
apparmor-profilespackage where the Debian maintainers decided to put those intoenforcemode by default.- Profiles where Debian maintainers decided to put those into
complainmode by default are not set toenforceby Kicksecure / Whonix yet and it is yet to be tested and decided if that will be a good idea. A call for testers will come soon.
- Profiles where Debian maintainers decided to put those into
- apparmor-profile-thunderbird
- apparmor-profile-torbrowser
- apparmor-profile-hexchat
No profiles from the Debian apparmor-profiles-extra package are copied from the /usr/share/apparmor/extra-profiles folder to the /etc/apparmor.d by default yet.
- Copying might be the wrong approach anyhow because then improvements/fixes by Debian maintainers are not applied when the package is updated.
- Symlinks would be better in theory but I haven’t tested yet if AppArmor accepts symlinks in folder
/etc/apparmor.d. Help welcome.