INC-2026-04-04: Resolution
Resolution
Immediate Fix
Deploy AppArmor on P16g. See CR: P16g AppArmor Deployment for implementation plan.
Verification
# After AppArmor deployment — verify LSM stack
cat /sys/kernel/security/lsm
# Expected: lockdown,capability,yama,apparmor# Verify AppArmor is enforcing
aa-status-
AppArmor in LSM stack
-
Profiles loaded for high-risk applications (browsers, node/npm, Docker)
-
Custom deny profiles for
~/.secrets/,~/.gnupg/,~/.age/access -
Complain-mode profiles for remaining applications