diff -u upstart-0.6.7/debian/upstart.install upstart-0.6.7/debian/upstart.install
--- upstart-0.6.7/debian/upstart.install
+++ upstart-0.6.7/debian/upstart.install
@@ -2,2 +2,3 @@
 debian/upstart-job lib/init/
+debian/apparmor-profile-load lib/init/
 debian/migrate-inittab.pl usr/lib/upstart/
diff -u upstart-0.6.7/debian/changelog upstart-0.6.7/debian/changelog
--- upstart-0.6.7/debian/changelog
+++ upstart-0.6.7/debian/changelog
@@ -1,3 +1,11 @@
+upstart (0.6.7-1ubuntu1) natty; urgency=low
+
+  * debian/apparmor-profile-load: common AppArmor profile loading helper
+    which can be used by any upstart services, regardless of the state
+    of AppArmor.
+
+ -- Kees Cook <kees@ubuntu.com>  Mon, 20 Dec 2010 16:03:33 -0800
+
 upstart (0.6.7-1) natty; urgency=low
 
   * New upstream release:
only in patch2:
unchanged:
--- upstart-0.6.7.orig/debian/apparmor-profile-load
+++ upstart-0.6.7/debian/apparmor-profile-load
@@ -0,0 +1,24 @@
+#!/bin/sh
+# apparmor-profile-load
+#
+# Helper for loading an AppArmor profile in pre-start scripts.
+
+[ -z "$1" ]                  && exit 1 # require a profile name
+
+[ -d /rofs/etc/apparmor.d ]  && exit 0 # do not load if running liveCD
+
+module=/sys/module/apparmor
+[ -d $module ]               || exit 0 # do not load without AppArmor in kernel
+
+[ -x /sbin/apparmor_parser ] || exit 0 # do not load without parser
+
+aafs=/sys/kernel/security/apparmor
+[ -d $aafs ]                 || exit 0 # do not load if unmounted
+[ -w $aafs/profiles ]        || exit 1 # fail if cannot load profiles
+
+params=$module/parameters
+[ -r $params/enabled ]       || exit 0 # do not load if missing
+read enabled < $params/enabled || exit 1 # if this fails, something went wrong
+[ "$enabled" = "Y" ]         || exit 0 # do not load if disabled
+
+/sbin/apparmor_parser -r -W /etc/apparmor.d/"$1"