AppArmorProfile= unit file option in Jessie?

intrigeri intrigeri at debian.org
Tue Jun 17 01:41:33 BST 2014


Hi,

(Please Cc me any reply I should read. I'm subscribed to the PTS,
but I didn't go as far as subscribing to the list.)

tl;dr: Do you think we will have systemd v210+ in Jessie?

Rationale: I'm working on improving AppArmor support in Debian.
In some cases (e.g. to have the upcoming Tor native unit file match
the current initscript's functionality), the best solution is to use
the native init system's support for switching to the appropriate
profile when starting the service. This feature made its way into
systemd v210 (commit eef65bf). At first glance, this commit seems
non-trivial to cherry-pick on top of v208, due to the SELinux and
seccomp bits that were changed/added in the meantime, but I'm no
C programmer.

To put things into perspective, for some usecases, such as ntpd and
isc-dhcp-client, profile switching capability is not enough: ideally,
systemd would be able to *load* the corresponding profile in due time,
regardless of when in the boot process the apparmor initscript loads
all other profiles. There's been some preliminary discussion about it
a few months ago, concurrently both in the AppArmor community and the
systemd one, but last time I checked the two ends of the discussion
hadn't met yet. I'll try to help fix this situation, mostly thanks to
the AppArmor folks from Ubuntu who won't want to see regressions when
moving to systemd, but it seems unlikely that anything is ready in
time for Jessie.

Thanks a lot for maintaining systemd in Debian!

Cheers,
-- 
intrigeri



More information about the Pkg-systemd-maintainers mailing list