AppArmor and Upstart
Kees Cook
kees at ubuntu.com
Thu Dec 22 23:16:27 UTC 2011
On Thu, Dec 22, 2011 at 01:37:27PM -0800, Scott James Remnant wrote:
> On Wed, Dec 21, 2011 at 11:52 AM, Jamie Strandboge <jamie at canonical.com>wrote:
> > We could make the apparmor helper for upstart an integral part of
> > Upstart such that when a job is started, Upstart automatically loads
> > policy for the executable. This is an interesting option, but seems to
> > require considerable work. It solves the non-discoverability problem as
> > well as time on distribution integration work, but does not obviate the
> > need for the second stage.
> >
> >
> This need not be an integral part, and can be accomplished with a simple
> job:
>
> start on starting
> # note no job name, we get that as $JOB in our script
>
> task
> pre-start exec test -f /etc/apparmor.d/cache/$JOB
> exec apparmor-stuff
>
> This will be run for every job started by Upstart, and block each one until
> complete
Unfortunately there is no static mapping between binary name and upstart
job name. AppArmor uses the binary name for it's profile name, so at least
that has a 1-to-1 relationship. A mapping between jobs and profiles was
made for stuff that was known to have profiles, but it doesn't give us a
reliable way to load the profile without having also created the mapping
back to upstart jobs. :(
--
Kees Cook
More information about the upstart-devel
mailing list