Bug#760526: Enable AppArmor support (using libapparmor)

intrigeri intrigeri at debian.org
Wed Sep 24 06:33:37 BST 2014 

Control: tag -1 + patch

Hi,

intrigeri wrote (23 Sep 2014 17:01:21 GMT) :
> Michael Biebl wrote (23 Sep 2014 11:59:22 GMT) :
>>> a) I don't see any dependency automatically added on libapparmor1, and
>>>    I've no idea which binary package exactly should have it. Any hint?

>> Did you add "--enable-apparmor" to the configure flags?

I tried it, and indeed the binary systemd package now Depends:
libapparmor1 (>= 2.6~devel). Thanks!

So, only problem (b) remains. I was able to workaround it by
commenting out these directives in the unit file:

  ReadOnlyDirectories = /
  ReadWriteDirectories = /var/lib/tor 
  ReadWriteDirectories = /var/log/tor
  ReadWriteDirectories = /var/run/tor

Note that for some reason, leaving this directive in is not a problem,
though:

  InaccessibleDirectories = /home

And adding these directives works too:

  ProtectSystem = full
  ProtectHome = yes

To make sure this problem wasn't caused by the old apparmor package we
have, I've prepared a 2.8.96~2652-1 apparmor package yesterday, which
is now in experimental, and rebuilt systemd against it. Then, I've
tested the resulting systemd packages on a system that has apparmor
2.8.96~2652-1 from experimental, and I see the same problem, the and
same workaround applies.

Should we take this problem upstream? I've not subscribed to the
systemd ML, and never interacted with them yet, so I'd rather see you
do that. Still, if you can't or don't want to do it, I guess I can try
to find time to learn how to communicate with yet another friendly
upstream community... during the Jessie+1 dev cycle.

In any case:

 * According to codesearch, there's exactly zero unit file in Debian
   currently that uses AppArmorProfile= (not a surprise, considering
   systemd doesn't support it in Debian yet), let alone combined with
   Read{Only,Write}Directories.

 * As far as the Tor unit file is concerned, the
   Read{Only,Write}Directories directives are not part of the unit
   file shipped upstream in the version (0.2.5.x) that will be in
   Jessie, so that's not a real problem yet, and we can add
   AppArmorProfile= in there. These directories are in Tor 0.2.6.x,
   though, so we'll have to handle it somehow for Jessie+1.

So, I don't think that the problem I'm seeing here is a blocker for
enabling AppArmor support in systemd. The attached patch implements
this. Once something like this is applied, I'll clone this bug report
to track the remaining problems.

Cheers,
-- 
intrigeri

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Enable-AppArmor-support-Closes-760526.patch
Type: text/x-diff
Size: 1176 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20140923/7174051b/attachment-0002.patch>

More information about the Pkg-systemd-maintainers mailing list