[apparmor] Apparmor full system policy - Dracut module?
intrigeri
intrigeri at debian.org
Sun Jan 27 20:49:47 UTC 2019
Hi Jacek,
Jacek:
> What should the correct code of the Apparmor policy module look like to
> Dracut?
I'm not aware of any actual implementation of what this document
suggests, but had I to write it, I would start there:
https://gitlab.com/apparmor/apparmor/blob/master/parser/rc.apparmor.functions
… keeping in mind that dracut starts systemd very early, and most of
the dracut code is run by systemd units as part of initrd.target, so
instead of a dracut module, you could probably load AppArmor policy
from a systemd unit that's WantedBy=initrd.target. See for example
how policy is loaded in Debian post-initramfs:
https://salsa.debian.org/apparmor-team/apparmor/blob/debian/master/debian/apparmor.service
… which uses:
https://gitlab.com/apparmor/apparmor/blob/master/parser/apparmor.systemd
… which delegates all the heavy lifting to
parser/rc.apparmor.functions mentioned above.
> Question about Apparmor full system policy.
> I mean loading all Apparmor policy profiles, not just Init.
Now I'm confused. May I ask what you're trying to achieve?
Is it really full system policy, i.e. *all* processes are confined?
Or "only" early loading of policy?
Cheers,
--
intrigeri
More information about the AppArmor
mailing list