[pkg-apparmor] Bug#880078: apparmor: Bump pinned feature set to Linux 4.14's

[intrigeri]

Vincas Dargis:
> Could you elaborate how that feature pining works?

IIRC jjohansen explained this in more details (and more accurately) on
the AppArmor mailing list recently, but I'll sum up my understanding
which seems to be good enough for distro integrators.

Basically, the scope of the policy that is compiled, loaded into the
kernel, and applied is limited to the intersection of the feature set
supported by the kernel, and the feature set defined by the
features-files setting.

Rules that are not supported by the running kernel are ignored even if
they're explicitly listed via the features-file setting. In other
words, features-file caps the feature set, but it doesn't require the
kernel to support all listed features.

> If there's machine running RC7 and `features-files=` line is
> commented out, what that state actually means?

When no pinning is defined, the active feature set is the one of the
running kernel. In this example, you would have all features from
Linux 4.14-rc7 enabled. Note that I recommend using this combination
(recent kernel + no pinning) only for people like us, who want to
discover issues as early as possible, so we can fix them before they
hit Debian users. Enthusiastic users are of course welcome to do the
same if they wish to give a hand: they'll notice issues and report
bugs that we would not notice in other environments (yeah, CI and all
that).

Cheers,
-- 
intrigeri