[pkg-apparmor] [PATCH 2/6] Add a profile for ntpd.

Felix Geyer fgeyer at debian.org
Sat Aug 30 19:04:48 UTC 2014 

On 30.08.2014 20:42, intrigeri wrote:
> Felix Geyer wrote (29 Aug 2014 21:19:21 GMT) :
>> ---
>>  debian/README.Debian   |  1 +
>>  debian/copyright       | 22 ++++++++++++++
>>  profiles/tunables/ntpd | 15 ++++++++++
>>  profiles/usr.sbin.ntpd | 81 ++++++++++++++++++++++++++++++++++++++++++++++++++
>>  4 files changed, 119 insertions(+)
>>  create mode 100644 profiles/tunables/ntpd
>>  create mode 100644 profiles/usr.sbin.ntpd
> 
> ACK (I'll compare the profiles with the ones from Ubuntu before
> merging).
> 
> However, this profile may not be loaded soon enough to be actually
> applied, see Debian#670170 -- Ubuntu does that with upstart, and we
> don't have the corresponding systemd bits in sid yet.

Ubuntu only has that problem because it's using an upstart job instead
of the init script.

> Did you try how it goes on current Debian sid, in practice? I'd love
> to see a test matrix for (server, desktop) x (sysvinit, systemd).

I tested it with systemd. I don't think server / desktop makes a difference.
The apparmor init script is started in runlevel S. I think even with
systemd that's guaranteed to be started before the usual runlevel 2-5 init
scripts.

However when ntp gains a systemd service file this might become a problem.

> Anyway, IMO that's not a blocker: shipping the profile will make it
> easier to tackle this problem. OTOH, possibly part of the solution
> will be to use systemd v210+'s ApparmorProfile= option, then maybe the
> best place to add the ntpd profile would be the ntp package itself.
> We can change this later, and I'm in favour of going ahead and taking
> the proposed patch, if shipping the ntpd policy in aa-p-extra is
> already useful in some usecases.

ApparmorProfile only switches to existing profiles but doesn't load them so
this won't help.

I've heard there are plans to rewrite the AppArmor parser as a library so it
can be used by systemd to load profiles. I suspect that will take some
time however.

Cheers,
Felix

PS: No need to CC me, I'm subscribed :)

More information about the pkg-apparmor-team mailing list