[apparmor] systemd AppArmorProfile=
Christian Boltz
apparmor at cboltz.de
Sun Feb 2 14:52:04 UTC 2014
Hello,
Am Sonntag, 2. Februar 2014 schrieb Michael Scherer:
> Le samedi 01 février 2014 à 18:18 +0100, Christian Boltz a écrit :
> > BTW: It looks like your patch requires the profiles to be loaded
> > already. Do you have any plans for loading, reloading or removing
> > profiles via systemd?
>
> I had plan to look on how Suse is doing this, but the only way i found
> after a quick look was t run a external binary, and I think that's
> something that should be avoided at least in systemd. I also didn't
> found a potential C library to do that.
The current way is the /etc/init.d/boot.apparmor initscript, which calls
code in /lib/apparmor/rc.apparmor.functions, which finally loads the
profiles using apparmor_parser.
AppArmor 3.0 (not released yet) will make it a bit easier -
apparmor_parser will be able to load all profiles in /etc/apparmor.d/ at
once, instead of having to load one profile after the other. This means
(re)loading all profiles can be done with
apparmor_parser -r /etc/apparmor.d/
Maybe you need some additional options, but you should get the point.
Also note that this way didn't get much testing yet.
I slightly ;-) doubt if it's a good idea to re-invent apparmor_parser
inside systemd, and calling it as external binary doesn't sound too bad
to me. (Hey, it worked without problems for the last 10 years ;-)
If you really want a library, the best way is probably to convert most
of apparmor_parser into a library. However, I'm afraid this will need
some[tm] time.
> Well, I have the v2 already, i just didn't found time to really test
> it with a VM before sending it.
Ah, the usual ENOTIME ;-)
Regards,
Christian Boltz
--
Please resolve this as NOT A BUG and USER SHOULD HAVE MORE COFFEE BEFORE
FILING BUGS. I apologize for taking up valuable developer time!
[Jon Nelson in https://bugzilla.novell.com/show_bug.cgi?id=776271#c2]
More information about the AppArmor
mailing list