[apparmor] What's the right way to enforce program in systemd service?
John Johansen
john.johansen at canonical.com
Fri Aug 15 18:43:54 UTC 2014
On 08/14/2014 08:03 PM, Aaron Lewis wrote:
> Hey just to clarify why I'm doing that explicitly in the systemd profile.
>
> Loading a bunch of profile is extremely slow so this has to run after
Actually it isn't, compiling the profiles is slow but we can load a couple
thousand profiles in a few seconds (depends on the system).
What we need to do is be able to ensure that there is always a valid
profile to load, so that at early boot something can be loaded without
a compile
Part of achieving this is improving the cache so it can keep multiple
versions around. These patches are a wip progress and I expect they
will surface on the list soon.
The other part of this work is to split the cache routines out from
the parser into a library so that systemd can link against it. This is
a little further out but scheduled to happen soon too.
> system boot (after X I mean, I use autologin + startx)
> And in the meanwhile, some services like NetworkManager and nscd need
> to be enforced before it starts.
>
> So I had to add an ExecPre to fix that. If I don't, it would end up
> "The binary has a profile defined but running unconfined" blabla
>
yeah, ubuntu has a split load atm where it does an early profile load
for a select few profiles, and then it does a generic reload
>
> On Tue, Aug 12, 2014 at 4:23 PM, intrigeri <intrigeri at debian.org> wrote:
>> Hi,
>>
>> Christian Boltz wrote (11 Aug 2014 21:53:40 GMT) :
>>> It looks unnecessary to me - the dependencies should already enforce
>>> loading all AppArmor profiles before any daemons are started (at least
>>> it works on openSUSE that way).
>>
>> ... and, if a given system-wide daemon needs a specific profile that
>> doesn't match the program's path (e.g. see system_tor in Debian), then
>> systemd v210 adds support for running that service with an explicitly
>> defined profile.
>>
>>> That all said - currently I use the good old initscript even with
>>> systemd. Having a systemd unit to load all profiles would be nice (and
>>> would solve some annoying problems) - is someone interested in writing
>>> one? ;-)
>>
>> There's been discussion about it on the systemd ML ~2-3 months ago,
>> and also on #apparmor at about the same time, but IIRC nobody summed
>> up this discussion on the list. IIRC, Marc Deslauriers, among others,
>> had interesting ideas on this topic. I think one of the key points
>> here is how to early load those profiles that really need it, e.g.
>> things that Ubuntu loads via Upstart (dhcp client, ntp).
>>
>> Cheers,
>> --
>> intrigeri
>>
>> --
>> AppArmor mailing list
>> AppArmor at lists.ubuntu.com
>> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
>
>
>
More information about the AppArmor
mailing list