[pkg-apparmor] Bug#923367: AppArmor: Profile for journald

[intrigeri]

Hi,

[I thought I had sent this on Feb 27, it's in my Sent folder,
but for some reason it did not make it to the BTS.]

Jörg Sommer:
> I've created a profile for journald to restrict the possible capabilities
> the process has.

Interesting!

> But journald starts before the AppArmor profiles get loaded.

I would suggest trying to use the AppArmorProfile= directive in the
journald unit. I suspect it'll fail because some other stuff (normally
set up by apparmor.service) is not ready yet at the time journald
starts, but it'll be interesting to know what that stuff is and
possibly we can set it up earlier. E.g. some of the work currently
done by apparmor.service could be moved to another service, that
starts earlier in the boot process.

> I've created a service to run after apparmor.service to restart all
> unconfined services having a profile. What do you think about this?
> Would you include this in the package?

This feels like a workaround and the potential for problematic side
effects kind of scares me. I'd rather see us work towards a nicer
solution for confining services that start before apparmor.service.

It's too late for Buster anyway so we have plenty of time to think
about it and experiment with various ideas for Bullseye :)

Cheers,
-- 
intrigeri