Dec 24 2019
Any attempted access of /boot would be logged the same way anyway although it might be good to use that to stop it from showing up in aa-logprof.
Would an audit denyrule for /boot be useful for the sake of audit?
/boot isn't allowed in init-systemd anyway so we don't need to add it to dangerous-files. Apparmor denies access to files that aren't explicitly allowed. The only reason we need to blacklist /lib/modules and not /boot is because we give access to all libraries.
Still need to add /boot to https://github.com/Whonix/apparmor-profile-everything/blob/master/etc/apparmor.d/abstractions/dangerous-files? Currently cannot find it there.
Dec 23 2019
/boot/ is already unreadable.
Dec 7 2019
Nov 23 2019
I created the issue: