[apparmor] Fwd: Bug#735470: Could be implemented centrally with a dpkg trigger instead of requiring every package shipping an apparmor file to use dh_apparmor

Jamie Strandboge jamie at canonical.com
Wed Jan 15 19:33:14 UTC 2014

On 01/15/2014 01:14 PM, Seth Arnold wrote:
> On Wed, Jan 15, 2014 at 07:30:52PM +0100, intrigeri wrote:


>> While updating src:cups to solve #735313, I went and took a look at
>> dh-apparmor and I gained the convictions that this would be better
>> implemented as part of a centralized dpkg-trigger (in apparmor probably)
>> instead of being replicated across all packages shipping apparmor files
>> (although this is significantly helped with dh-apparmor).
>> apparmor could have an 'interest /etc/apparmor.d/' triggers file and its
>> postinst would then do the machinery to create (or remove) the
>> /etc/apparmor.d/local/* files accordingly.
>> This could also have the side benefit of only running apparmor_parser
>> once for all files installed at the same time.
> When would this single apparmor_parser run happen? It needs to happen
> before daemons are started or restarted in their postinst scripts,
> otherwise the AppArmor policy won't be enforced.
Triggers were considered and this was precisely why we didn't take this
approach. The trigger could work for non-daemons, but it doesn't work for
daemons since the triggers are run after daemon packages' postinst. These days,
daemons with an upstart job could use the upstart apparmor stanza to avoid this,
but that can't be depended upon generally (since all daemons aren't currently
upstartified and all systems don't use upstart).

Jamie Strandboge                 http://www.ubuntu.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140115/d8493880/attachment.pgp>

More information about the AppArmor mailing list