Comment 6 for bug 1385414

Seth Arnold (seth-arnold) wrote :

Hello intrigeri, this one is a bit involved.

As it is systemd's support for AppArmor is to issue a change_profile call before executing a unit's executable. This requires the profile to already be loaded, which currently means a pre-task that calls apparmor_parser on the profile or waiting to run until after an apparmor unit file completes loading all profiles.

The parser currently knows how to drive the cache, invalidate it if any of the files involved in defining the profile are modified, etc. But it'd be nice if this functionality were exposed via a library that systemd could use so that it could compile (and cache) the policy if needed, it could load a cached policy if one exists and isn't stale.

Since different tools own different AppArmor policies (init scripts own /etc/apparmor.d/, snapd owns snapd policy, libvirt owns libvirt policy, docker owns docker policy, etc) this may need some effort to determine what we really want it to do.

I hope this helps. Thanks.