[apparmor] systemd and stopping AppArmor - introducing aa-teardown

Christian Boltz apparmor at cboltz.de
Sun Oct 29 20:35:12 UTC 2017 

Hello,

TL;DR: I'd like to introduce a script
    /usr/sbin/aa-teardown
to unload all AppArmor profiles. Any objections or better ideas?


Long version.

systemctl restart apparmor   gets mapped to
systemctl stop apparmor ; systemctl start apparmor
(Yeah, it would be nice if systemd would support overriding that 
behaviour. I asked on systemd-devel for an ExecRestart= option last 
year, but (to say it mildly) nobody liked that idea, even if it was 
requested by different people and for different reasons more than once.)

This also means unloading all profiles in ExecStop is a bad idea.
(Unfortunately it's exactly what the openSUSE apparmor.service currently 
does, but I want to change that - the future apparmor.service in 
Tumbleweed will have ExecStop=/bin/true and a nice[tm] comment.)

AFAIK Debian and Ubuntu currently use
    /etc/init.d/apparmor teardown
to unload all profiles - but this won't work anymore when switching to a 
pure systemd unit.

Some discussion on #apparmor led to the idea to introduce a new 
stand-alone command
    aa-teardown
to unload all profiles. This name would at least be somewhat familiar to 
Debian and Ubuntu users.

Does someone have a better idea than   aa-teardown   ?
If not, I'll implement /usr/sbin/aa-teardown in openSUSE and expect that 
it will also become the upstream solution [1]. So if you don't like 
aa-teardown, speak up *now* ;-)


If you are interested in more details and discussion, see
- https://bugzilla.opensuse.org/show_bug.cgi?id=996520 - especially the 
  last comments (including a link to the discussion on systemd-devel)
- https://bugzilla.opensuse.org/show_bug.cgi?id=853019 [3]

Oh, and if you like mudwrestling, feel free to try requesting 
ExecRestart= in the systemd bugtracker or mailinglist once more.


Regards,

Christian Boltz

PS: [3] and [4] could be read as systemd rants. I won't say they are, 
    but won't object if someone understands them in that way ;-)


[1] the script content still can (and will [2]) be changed, but I expect 
    the name /usr/sbin/aa-teardown to be set into stone ;-)

[2] to get started quickly, I'll use a as-simple-as-possible script, but 
    I'm sure that this won't be the final solution.

[3] I could easily have made that one a CVE, but a) that would be evil 
    and b) AFAIK upstream systemd doesn't really care about CVE numbers 
    and scores [4].

[4] http://blog.koehntopp.info/index.php/2146-not-a-bug-version-9-8/ 
    shows one of the better-known examples

-- 
> > > Ich _habe_ einen vernünftigen Mailer!
> > Und warum benutzt Du ihm nicht?
> Mach ich gerade.
Komisch, bei mir wird angezeigt, daß Du KMail benutzt.
[> Manfred Misch und Bernd Brodesser in suse-linux]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20171029/f3bc7abf/attachment.sig>

More information about the AppArmor mailing list