[Bug 692801] Re: need a common helper for AppArmor profile loading

[Adolfo Jayme Barrientos]

** No longer affects: upstart (Ubuntu Maverick)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to upstart in Ubuntu.
https://bugs.launchpad.net/bugs/692801

Title:
  need a common helper for AppArmor profile loading

Status in “upstart” package in Ubuntu:
  Fix Released
Status in “upstart” source package in Natty:
  Fix Released

Bug description:
  Binary package hint: upstart

  Right now, to optimize AppArmor profile loading, each service that has
  a profile loads it during its "pre-start script" stanza. However, the
  logic for handling whether or not AppArmor exists, is loaded, etc,
  needs to be handled in a common way so that as it evolves, it can
  change in a single place, rather than changing every service's job
  files.

  Since AppArmor may not actually be installed, the helper cannot live
  in any of the apparmor packages itself. And since AppArmor being
  missing is not considered a problem (perhaps they are using SELinux),
  the helper needs to live in the Upstart package. Without this, there's
  no sane way to do per-service profile loading, and we're back to doing
  a monolithic all-profile load that every job has to wait on (and means
  low early-boot parallelism for these services).

  As an example, mysql would replace these lines:
      # Load AppArmor profile
      if aa-status --enabled 2>/dev/null; then
          apparmor_parser -r /etc/apparmor.d/usr.sbin.mysqld || true
      fi
  with:
      /lib/init/apparmor-profile-load usr.sbin.mysqld
  which would mean no longer requiring the heavy perl loading test from "aa-status".

  This would also allow us to get cups back to confinement (see bug
  690040).

  How does the attached patch seem?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/upstart/+bug/692801/+subscriptions