[pkg-apparmor] apparmor.service - get upstream and Debian (mostly?) in sync?
Christian Boltz
apparmor at cboltz.de
Sun Nov 5 18:14:23 GMT 2023
Hello,
Am Mittwoch, 25. Oktober 2023, 11:42:40 CET schrieb intrigeri:
> Yep, for historical context, IIRC both Debian and OpenSUSE initially
> had their own downstream systemd unit, and then you've upstreamed your
> (OpenSUSE) version, which was a good first step. Since then, nobody
> ensured that upstreamed version was suitable for Debian as well, so
> here we are still shipping our own. In 2018 I did lots of work to
> make the Debian version closer to upstream's but I did not go as far
> as fully converging.
>
> I won't have time to work on this any time soon myself, but here's
> a suggestion to anyone who will:
I hope you at least have some time to give feedback ;-)
I already got the Documentation=... upstream, and the remaining diff is:
--- upstream
+++ Debian
[Unit]
Description=Load AppArmor profiles
DefaultDependencies=no
Before=sysinit.target
+After=local-fs.target
I'd prefer to not use After=local-fs.target, see below.
After=systemd-journald-audit.socket
-# profile cache: /var/cache/apparmor/ and /usr/share/apparmor/cache/
-After=var.mount var-cache.mount usr.mount usr-share.mount
+RequiresMountsFor=/var/cache/apparmor
I guess switching upstream to RequiresMountsFor should be easy.
The most interesting question is if we should keep the dependency on
/usr/share/apparmor for the precompiled cache.
FYI: I have disabled the precompiled cache in the Tumbleweed packages
again, because it caused interesting[tm] problems - the parser only
looks at the timestamps, which meant "old" local additions (older than
the precompiled cache) were missed.
+AssertPathIsReadWrite=/sys/kernel/security/apparmor/.load
I'd be somewhat surprised if apparmor gets started before /sys/ is
mounted, and we already have ConditionSecurity=apparmor in the next
line.
So - do you think this is really needed?
ConditionSecurity=apparmor
Documentation=man:apparmor(7)
Documentation=https://gitlab.com/apparmor/apparmor/wikis/home/
+# Don't start this unit on the Ubuntu Live CD
+ConditionPathExists=!/rofs/etc/apparmor.d
+
+# Don't start this unit on the Debian Live CD when using overlayfs
+ConditionPathExists=!/run/live/overlay/work
These lines might be candidates for a drop-in shipped as
/usr/lib/systemd/system/apparmor.service.d/debian.conf in Debian and
Ubuntu.
[Install]
-WantedBy=multi-user.target
+WantedBy=sysinit.target
This (together with "After=local-fs.target") is probably the most
interesting diff.
My goal is to load AppArmor profiles as early as possible, therefore I'd
prefer to keep sysinit.target. Can I convince you to also use it, and to
drop "After=local-fs.target"?
(If it helps: the dependencies in the upstream apparmor.service always
worked in openSUSE.)
Feedback welcome ;-)
Regards,
Christian Boltz
--
* mrdocs wonders when darix sleeps
<sshaw> mrdocs: robots don't need sleep
[from #opensuse-buildservice]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://alioth-lists.debian.net/pipermail/pkg-apparmor-team/attachments/20231105/55d25a56/attachment.sig>
More information about the pkg-apparmor-team
mailing list