[pkg-apparmor] Loading some profiles before the network is up [Was: [PATCH 2/6] Add a profile for ntpd.]
intrigeri
intrigeri at debian.org
Sun Aug 31 16:34:57 UTC 2014
Hi,
Felix Geyer wrote (30 Aug 2014 21:32:26 GMT) :
> On 30.08.2014 22:53, intrigeri wrote:
> Ah right, there is no upstart job but Ubuntu ships a modified version of
> /etc/network/if-up.d/ntpdate.
> It stops and starts ntp which likely causes it to start earlier.
Indeed, hence the need for the upstart trick. Got it, thanks!
>> Right. Once it happens, the ntp unit file will likely need something
>> similar to what libvirtd.service has: After=apparmor.service
>> ... although ideally, this would be automated in some way.
> For libvirtd.service this isn't necessary is it?
> I've looked some more at the systemd service dependencies.
> All services that don't have DefaultDependencies=no should be fine since
> apparmor.service is ordered before basic.target (through sysinit.target).
Makes sense.
> We could probably add the same hack as Ubuntu to load some profiles before the
> network is up.
Definitely. I've seen this topic discussed on the AppArmor and systemd
mailing-lists, and on #apparmor too, a few months ago (shortly after
the TC's decision wrt. the default Jessie init system), but these
various discussions didn't really converge to any real plan or WIP.
I think that the next step is to dig through the archives, sum up the
problems and potential solutions, and ask both the AppArmor and
systemd lists about it for comments and ideas. Wanna do that?
Cheers,
--
intrigeri
More information about the pkg-apparmor-team
mailing list