AppArmor and Upstart

Kees Cook kees at
Thu Dec 22 23:16:27 UTC 2011

On Thu, Dec 22, 2011 at 01:37:27PM -0800, Scott James Remnant wrote:
> On Wed, Dec 21, 2011 at 11:52 AM, Jamie Strandboge <jamie at>wrote:
> > We could make the apparmor helper for upstart an integral part of
> > Upstart such that when a job is started, Upstart automatically loads
> > policy for the executable. This is an interesting option, but seems to
> > require considerable work. It solves the non-discoverability problem as
> > well as time on distribution integration work, but does not obviate the
> > need for the second stage.
> >
> >
> This need not be an integral part, and can be accomplished with a simple
> job:
>   start on starting
>   # note no job name, we get that as $JOB in our script
>   task
>   pre-start exec test -f /etc/apparmor.d/cache/$JOB
>   exec apparmor-stuff
> This will be run for every job started by Upstart, and block each one until
> complete

Unfortunately there is no static mapping between binary name and upstart
job name. AppArmor uses the binary name for it's profile name, so at least
that has a 1-to-1 relationship. A mapping between jobs and profiles was
made for stuff that was known to have profiles, but it doesn't give us a
reliable way to load the profile without having also created the mapping
back to upstart jobs. :(

Kees Cook

More information about the upstart-devel mailing list