[pkg-apparmor] Loading some profiles before the network is up [Was: [PATCH 2/6] Add a profile for ntpd.]
Felix Geyer
fgeyer at debian.org
Sun Aug 31 18:58:47 UTC 2014
Hi,
On 31.08.2014 18:34, intrigeri wrote:
> [...]
>
>> We could probably add the same hack as Ubuntu to load some profiles before the
>> network is up.
>
> Definitely. I've seen this topic discussed on the AppArmor and systemd
> mailing-lists, and on #apparmor too, a few months ago (shortly after
> the TC's decision wrt. the default Jessie init system), but these
> various discussions didn't really converge to any real plan or WIP.
> I think that the next step is to dig through the archives, sum up the
> problems and potential solutions, and ask both the AppArmor and
> systemd lists about it for comments and ideas. Wanna do that?
I quickly searched on both lists but couldn't find anything regarding profile
loading.
The two things I remember from IRC discussions are:
- Turn the parser into a library that systemd can use.
- Support caching of profiles for multiple kernels so loading them very early
becomes feasible.
If we are only concerned with dhclient (and maybe a few other profiles) we
can just write a systemd service that loads them.
With systemd >= 214 this is trivial since there is a network-pre.target.
The Ubuntu dhclient profile with systemd from experimental and this service
worked fine for me:
> [Unit]
> Description=Load AppArmor profiles needed before the network comes up
> DefaultDependencies=no
> Before=network-pre.target
>
> [Service]
> Type=oneshot
> ExecStart=/sbin/apparmor_parser -r -W /etc/apparmor.d/sbin.dhclient
>
> [Install]
> WantedBy=multi-user.target
Cheers,
Felix
More information about the pkg-apparmor-team
mailing list