provide systemd compatible cache loading library
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | AppArmor |
Critical
|
Tyler Hicks | ||
| | apparmor (Ubuntu) |
Critical
|
Tyler Hicks | ||
| | systemd (Ubuntu) |
Medium
|
Unassigned | ||
Bug Description
This tracks the work related to moving AppArmor to systemd in support of bug 1379542.
Related branches
| description: | updated |
| Changed in apparmor (Ubuntu): | |
| status: | Triaged → In Progress |
| Jamie Strandboge (jdstrand) wrote : | #1 |
| Changed in apparmor: | |
| status: | New → In Progress |
| importance: | Undecided → High |
| assignee: | nobody → Tyler Hicks (tyhicks) |
| importance: | High → Critical |
| Changed in apparmor (Ubuntu): | |
| status: | In Progress → Confirmed |
| Changed in systemd (Ubuntu): | |
| status: | New → Confirmed |
| importance: | Undecided → High |
| milestone: | none → later |
| Changed in apparmor (Ubuntu): | |
| milestone: | none → later |
| Martin Pitt (pitti) wrote : | #2 |
As for tracking systemd bugs I'd like to reduce importance, as we have bug 1438249 for tracking the fallback for vivid. So this is mostly optimization now, it shouldn't make a difference security wise, right? Please set back to High if I misunderstood this. Thanks!
| Changed in systemd (Ubuntu): | |
| status: | Confirmed → Triaged |
| importance: | High → Medium |
| Changed in apparmor: | |
| milestone: | none → 2.10 |
| Changed in apparmor: | |
| status: | In Progress → Fix Committed |
| Steve Beattie (sbeattie) wrote : | #3 |
AppArmor 2.10 has been released: https:/
| Changed in apparmor: | |
| status: | Fix Committed → Fix Released |
| Launchpad Janitor (janitor) wrote : | #4 |
This bug was fixed in the package apparmor - 2.10-0ubuntu2
---------------
apparmor (2.10-0ubuntu2) wily; urgency=medium
* debian/
make aa-status(8) work even when python3-apparmor is not installed,
otherwise dh_apparmor postinst snippets can fail (LP: #1480492)
* debian/control: make apparmor-utils depend on the same package
version of python3-apparmor
-- Steve Beattie <email address hidden> Fri, 31 Jul 2015 16:35:03 -0700
| Changed in apparmor (Ubuntu): | |
| status: | Confirmed → Fix Released |
| intrigeri (intrigeri) wrote : | #5 |
I could ask for help to the person who implemented the initial AppArmor support in systemd. But first I would need a clearer task description than "Add systemd task since it needs an update to make it use the cache loading library". What exactly do we need systemd to do?
| Seth Arnold (seth-arnold) wrote : | #6 |
Hello intrigeri, this one is a bit involved.
As it is systemd's support for AppArmor is to issue a change_profile call before executing a unit's executable. This requires the profile to already be loaded, which currently means a pre-task that calls apparmor_parser on the profile or waiting to run until after an apparmor unit file completes loading all profiles.
The parser currently knows how to drive the cache, invalidate it if any of the files involved in defining the profile are modified, etc. But it'd be nice if this functionality were exposed via a library that systemd could use so that it could compile (and cache) the policy if needed, it could load a cached policy if one exists and isn't stale.
Since different tools own different AppArmor policies (init scripts own /etc/apparmor.d/, snapd owns snapd policy, libvirt owns libvirt policy, docker owns docker policy, etc) this may need some effort to determine what we really want it to do.
I hope this helps. Thanks.
| Seth Arnold (seth-arnold) wrote : | #7 |
Sigh. https:/
The parser just checks for mtime newer than the cache, not changes.
Thanks
| intrigeri (intrigeri) wrote : | #8 |
Thanks! So we still need an AppArmor task, not just a systemd one, right? (My question came up because all the AppArmor tasks are marked as "Fix released", and thus I thought the only remaining thing to do is on the systemd side, but your answer suggests that's not actually the case.)
| John Johansen (jjohansen) wrote : Re: [Bug 1385414] Re: provide systemd compatible cache loading library | #9 |
On 06/30/2017 07:52 PM, Seth Arnold wrote:
> Hello intrigeri, this one is a bit involved.
>
> As it is systemd's support for AppArmor is to issue a change_profile
> call before executing a unit's executable. This requires the profile to
> already be loaded, which currently means a pre-task that calls
> apparmor_parser on the profile or waiting to run until after an apparmor
> unit file completes loading all profiles.
>
> The parser currently knows how to drive the cache, invalidate it if any
> of the files involved in defining the profile are modified, etc. But
> it'd be nice if this functionality were exposed via a library that
> systemd could use so that it could compile (and cache) the policy if
> needed, it could load a cached policy if one exists and isn't stale.
>
AppArmomr does provide a library interface to the cache and loading,
it does not however provide a library interface to compiling policy.
man aa_policy_cache will give you documentation for
cache
object
all cached policies
and man aa_kernel_interface
interface for policy loading, replacing, and removing
an optional path
kernel
into the kernel
descriptor into the kernel
with a policy from a buffer
kernel with a policy from a file
kernel with a policy from a file descriptor
the compile part will eventually come as a library but is far less useful
and systemd should just call the external policy compiler if policy is stale.
> Since different tools own different AppArmor policies (init scripts own
> /etc/apparmor.d/, snapd owns snapd policy, libvirt owns libvirt policy,
> docker owns docker policy, etc) this may need some effort to determine...
Added upstream task since that is what is in progress. Set Ubuntu task to Confirmed. Add systemd task since it needs an update to make it use the cache loading library.