[pkg-apparmor] Bug#782700: Bug#782700: Please drop $remote_fs init.d dependency to allow running early
Cameron Norman
camerontnorman at gmail.com
Thu Apr 16 15:58:11 UTC 2015
On Thu, Apr 16, 2015 at 6:22 AM, Michael Biebl <biebl at debian.org> wrote:
> Hi!
>
> While we are that topic, I think it would be better to not pull apparmor
> specifics into ifup at .service and networking.service, but rather have
> apparmor ship a native .service file and specify the correct orderings,
> maybe by hooking up in network-pre.target.
>
> Then again, I'm not too familiar with AppArmor: Is every service, which
> wants to be confined by apparmor supposed to declare a
> After=apparmor.service in its service file?
Well what I have seen in Upstart confs is that all profiles that the
job uses are loaded before the job is started with the `apparmor load`
directive. This prevents any possible race conditions because, for
example, cups would load its profile before its start regardless of
whether the apparmor job has started.
systemd only has an AppArmorProfile= directive, which is equivalent to
Upstart's `apparmor switch`. Either systemd should gain a
AppArmorLoad= directive or it should load all profiles itself before
starting any services (like it does with SELinux policy).
The workaround you describe seems to be a good choice ATM, and is
similar to how it is done on Upstart with the
network-interface-security job:
# Since we need these profiles to be loaded before any of the above services
# begin running, this service must be a pre-start so that its pre-start
# script finishes before the above services' start scripts begin.
pre-start script
[ -f /run/network-interface-security ] && exit 0 # already ran
[ -d /rofs/etc/apparmor.d ] && exit 0 # do not load on liveCD
[ -d /sys/module/apparmor ] || exit 0 # do not load without AppArmor
[ -x /sbin/apparmor_parser ] || exit 0 # do not load without parser
for link in /etc/apparmor/init/network-interface-security/* ; do
[ -L $link ] && /sbin/apparmor_parser -r -W $link || true
done
> /run/network-interface-security
end script
More information about the pkg-apparmor-team
mailing list