[Pkg-swan-devel] About the charon-systemd apparmor profile

[Yves-Alexis Perez]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Tue, 2025-03-25 at 10:47 +0100, Noam Nedelec-Salmon wrote:
> As an part of an effort from the Ubuntu security team to expand AppArmor
> coverage I have recently been looking for network services that lack active
> confinement.

Hi Noam, thanks for reaching out. Best would be to use the
pkg-swan-devel at lists.alioth.debian.org mailing list (which I added to CC:)
> 
> I noticed that the profile for charon-systemd in strongswan has been in
> complain mode for quite some time and would like to inquire about the
> reasons why that is the case. I more specifically would like to know: Could
> it be switched to enforce mode as is? Does it need additional work and/or
> testing beforehand?

Honestly I'm not sure. I guess it would make sense to switch to enforcing mode
but we are just pass the transition freeze for the trixie release cycle so I'm
not sure it's the best time to actually do it, maybe it would make sense to
wait for the next release (even if that means waiting for a complete release
cycle).


Do you know if the 'enforcing' mode has been tested elsewhere?

Regards,
- -- 
Yves-Alexis

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAmfkVL0ACgkQ3rYcyPpX
RFv8BAf/YpfQBIA2IDqhTZ1yeZueAIzISNzfBXnYtn0cDcPEIWBpqbFR/VohK/ht
gVjc4AKnyxR3WJdZkTN0FpekcEegv6wytYHVS928h/Q0ECPajp4pPSXd1MwT54R8
U9hKMH+NX81o7wgzwgLN+Va7EvfwMgPZwV67crm3Kp5Zer9sOKnu82cWAfQ6OtI6
zkoy4RKvQraPaGBjyzDWZTrDBgVT6d31daw8YYTqzRgi49kkiSjn8g5NM2eSfRGC
orukNgYKDhaGTK0+hGR4I4Siomk8h1yyDpRSZHd4VulhxcM9WPeKh4Kr00YpYjoP
psnskyLH73wqMdBYwF0l2y6TV51ntQ==
=tRVg
-----END PGP SIGNATURE-----