[Bug 1385414] Re: provide systemd compatible cache loading library
Seth Arnold
1385414 at bugs.launchpad.net
Sat Jul 1 02:52:19 UTC 2017
Hello intrigeri, this one is a bit involved.
As it is systemd's support for AppArmor is to issue a change_profile
call before executing a unit's executable. This requires the profile to
already be loaded, which currently means a pre-task that calls
apparmor_parser on the profile or waiting to run until after an apparmor
unit file completes loading all profiles.
The parser currently knows how to drive the cache, invalidate it if any
of the files involved in defining the profile are modified, etc. But
it'd be nice if this functionality were exposed via a library that
systemd could use so that it could compile (and cache) the policy if
needed, it could load a cached policy if one exists and isn't stale.
Since different tools own different AppArmor policies (init scripts own
/etc/apparmor.d/, snapd owns snapd policy, libvirt owns libvirt policy,
docker owns docker policy, etc) this may need some effort to determine
what we really want it to do.
I hope this helps. Thanks.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1385414
Title:
provide systemd compatible cache loading library
Status in AppArmor:
Fix Released
Status in apparmor package in Ubuntu:
Fix Released
Status in systemd package in Ubuntu:
Triaged
Bug description:
This tracks the work related to moving AppArmor to systemd in support
of bug 1379542.
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1385414/+subscriptions
More information about the foundations-bugs
mailing list