[pkg-apparmor] [PATCH 2/6] Add a profile for ntpd.

intrigeri intrigeri at debian.org
Sat Aug 30 20:53:50 UTC 2014 

Hi,

Felix Geyer wrote (30 Aug 2014 19:04:48 GMT) :
> On 30.08.2014 20:42, intrigeri wrote:
>> However, this profile may not be loaded soon enough to be actually
>> applied, see Debian#670170 -- Ubuntu does that with upstart, and we
>> don't have the corresponding systemd bits in sid yet.

> Ubuntu only has that problem because it's using an upstart job instead
> of the init script.

Ah, I was confusing this situation with the dhclient one (where the
profile must be loaded before any network interface is up'ed, which
can't be guaranteed as long as we use an apparmor initscript that is
started after $remote_fs).

Not that it matters much, but I don't think Ubuntu is using an upstart
job for ntp. My understanding is that when before the network is
up'ed, apparmor_parser is run against the profiles linked from
/etc/apparmor/init/network-interface-security. So, in the case of ntp,
this merely adds a safeguard, just in case something starts the
network before the apparmor initscript has run, somehow. I think :)

>> Did you try how it goes on current Debian sid, in practice? I'd love
>> to see a test matrix for (server, desktop) x (sysvinit, systemd).

> I tested it with systemd. I don't think server / desktop makes a difference.
> The apparmor init script is started in runlevel S. I think even with
> systemd that's guaranteed to be started before the usual runlevel 2-5 init
> scripts.

Yep, and I've verified it's the case thanks to systemctl
list-dependencies. I've also verified (by testing try-restart
manually) that /etc/dhcp/dhclient-exit-hooks.d/ntp doesn't start the
ntp service if it's not running yet. So, we should be fine for now.

> However when ntp gains a systemd service file this might become a problem.

Right. Once it happens, the ntp unit file will likely need something
similar to what libvirtd.service has: After=apparmor.service
... although ideally, this would be automated in some way.

> I've heard there are plans to rewrite the AppArmor parser as a library so it
> can be used by systemd to load profiles. I suspect that will take some
> time however.

I guess so. Any idea what Ubuntu release it's a goal for?

Cheers,
-- 
intrigeri

More information about the pkg-apparmor-team mailing list