On 01/15/2014 01:14 PM, Seth Arnold wrote: > On Wed, Jan 15, 2014 at 07:30:52PM +0100, intrigeri wrote:
... >> While updating src:cups to solve #735313, I went and took a look at >> dh-apparmor and I gained the convictions that this would be better >> implemented as part of a centralized dpkg-trigger (in apparmor probably) >> instead of being replicated across all packages shipping apparmor files >> (although this is significantly helped with dh-apparmor). >> >> apparmor could have an 'interest /etc/apparmor.d/' triggers file and its >> postinst would then do the machinery to create (or remove) the >> /etc/apparmor.d/local/* files accordingly. >> >> This could also have the side benefit of only running apparmor_parser >> once for all files installed at the same time. > > When would this single apparmor_parser run happen? It needs to happen > before daemons are started or restarted in their postinst scripts, > otherwise the AppArmor policy won't be enforced. > Triggers were considered and this was precisely why we didn't take this approach. The trigger could work for non-daemons, but it doesn't work for daemons since the triggers are run after daemon packages' postinst. These days, daemons with an upstart job could use the upstart apparmor stanza to avoid this, but that can't be depended upon generally (since all daemons aren't currently upstartified and all systems don't use upstart). -- Jamie Strandboge http://www.ubuntu.com/
signature.asc
Description: OpenPGP digital signature
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
