Bug#760526: Enable AppArmor support (using libapparmor)

intrigeri intrigeri at debian.org
Tue Sep 23 07:51:15 BST 2014 

Hi,

intrigeri wrote (09 Sep 2014 00:14:30 GMT) :
> So: yes, please. I've been waiting for it eagerly, and will submit
> patches to the Tor upstream unit file as soon as Debian's systemd
> supports this option.

I really want this to land in time for Jessie, so I've given it a try:

1. added libapparmor-dev to build-depends
2. the current apparmor package in Debian lacked pkg-config support,
   and thus the systemd build systemd did not detect it, so:
3. uploaded apparmor 2.8.0-8 with pkg-config support
4. now systemd builds fine, with AppArmor support according to the
   build log. Woohoo, first milestone reached! :)

Remaining problems:

a) I don't see any dependency automatically added on libapparmor1, and
   I've no idea which binary package exactly should have it. Any hint?

b) The AppArmor support actually doesn't work for me. With the
   attached unit file for Tor (i.e. the upstream one, slightly
   adjusted for Debian), after un-commenting the AppArmorProfile
   directive, running `systemctl --system daemon-reload', and trying
   to restart the service, it fails to start. Status:

   ● tor.service - Anonymizing overlay network for TCP
      Loaded: loaded (/etc/systemd/system/tor.service; disabled)
      Active: failed (Result: start-limit) since Mon 2014-09-22 23:31:52 PDT; 3s ago
     Process: 24186 ExecStartPre=/usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc --verify-config (code=exited, status=231/APPARMOR)
    Main PID: 26773 (code=exited, status=0/SUCCESS)
   
   Sep 22 23:31:52 ensifera systemd[1]: Unit tor.service entered failed state.
   Sep 22 23:31:52 ensifera systemd[1]: tor.service start request repeated too quickly, refusing to start.
   Sep 22 23:31:52 ensifera systemd[1]: Failed to start Anonymizing overlay network for TCP.
   Sep 22 23:31:52 ensifera systemd[1]: Unit tor.service entered failed state.
   zsh: exit 3     sudo service tor status

The "status=231/APPARMOR" seems to contain (the beginning of) an
explanation, but I'm no C programmer, so diving into the source code
to understand what it can possibly mean is a bit outside of my comfort
zone. Note that the system_tor AppArmor profile *is* loaded in the
kernel, confirmed with aa-status.

Note that the version of the AppArmor userspace we're carrying in
Debian currently is a bit old, and it might be that the AppArmor
support in systemd was only tested with a newer version. If I find
a slot on my copious free time in the next days or weeks, I'll try to
reproduce this problem with the latest upstream version.

Cheers,
--
intrigeri

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: tor.service
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20140922/8d5df2fb/attachment-0002.ksh>

More information about the Pkg-systemd-maintainers mailing list