[pkg-apparmor] Loading some profiles before the network is up [Was: [PATCH 2/6] Add a profile for ntpd.]
intrigeri
intrigeri at debian.org
Tue Sep 9 21:47:36 UTC 2014
Hi,
Felix Geyer wrote (31 Aug 2014 18:58:47 GMT) :
> Hi,
> On 31.08.2014 18:34, intrigeri wrote:
>> [...]
>>
>>> We could probably add the same hack as Ubuntu to load some profiles before the
>>> network is up.
>>
>> Definitely. I've seen this topic discussed on the AppArmor and systemd
>> mailing-lists, and on #apparmor too, a few months ago (shortly after
>> the TC's decision wrt. the default Jessie init system), but these
>> various discussions didn't really converge to any real plan or WIP.
>> I think that the next step is to dig through the archives, sum up the
>> problems and potential solutions, and ask both the AppArmor and
>> systemd lists about it for comments and ideas. Wanna do that?
> I quickly searched on both lists but couldn't find anything regarding profile
> loading.
There's a *little* bit of discussions starting there:
http://lists.freedesktop.org/archives/systemd-devel/2014-February/017220.html
> The two things I remember from IRC discussions are:
> - Turn the parser into a library that systemd can use.
> - Support caching of profiles for multiple kernels so loading them very early
> becomes feasible.
Yep. I don't remember more, indeed.
> If we are only concerned with dhclient (and maybe a few other profiles) we
> can just write a systemd service that loads them.
> With systemd >= 214 this is trivial since there is a network-pre.target.
> The Ubuntu dhclient profile with systemd from experimental and this service
> worked fine for me: [...]
Looks good! Want to ask the dhclient maintainers if they want to carry
the profile in the corresponding package, along with a unit file like
this? Jessie will have systemd v214+, so it looks doable. Otherwise,
maybe we can put it into apparmor-profiles-extra.
Cheers,
--
intrigeri
More information about the pkg-apparmor-team
mailing list