Hello,
TL;DR: I'd like to introduce a script
/usr/sbin/aa-teardown
to unload all AppArmor profiles. Any objections or better ideas?
Long version.
systemctl restart apparmor gets mapped to
systemctl stop apparmor ; systemctl start apparmor
(Yeah, it would be nice if systemd would support overriding that
behaviour. I asked on systemd-devel for an ExecRestart= option last
year, but (to say it mildly) nobody liked that idea, even if it was
requested by different people and for different reasons more than once.)
This also means unloading all profiles in ExecStop is a bad idea.
(Unfortunately it's exactly what the openSUSE apparmor.service currently
does, but I want to change that - the future apparmor.service in
Tumbleweed will have ExecStop=/bin/true and a nice[tm] comment.)
AFAIK Debian and Ubuntu currently use
/etc/init.d/apparmor teardown
to unload all profiles - but this won't work anymore when switching to a
pure systemd unit.
Some discussion on #apparmor led to the idea to introduce a new
stand-alone command
aa-teardown
to unload all profiles. This name would at least be somewhat familiar to
Debian and Ubuntu users.
Does someone have a better idea than aa-teardown ?
If not, I'll implement /usr/sbin/aa-teardown in openSUSE and expect that
it will also become the upstream solution [1]. So if you don't like
aa-teardown, speak up *now* ;-)
If you are interested in more details and discussion, see
- https://bugzilla.opensuse.org/show_bug.cgi?id=996520 - especially the
last comments (including a link to the discussion on systemd-devel)
- https://bugzilla.opensuse.org/show_bug.cgi?id=853019 [3]
Oh, and if you like mudwrestling, feel free to try requesting
ExecRestart= in the systemd bugtracker or mailinglist once more.
Regards,
Christian Boltz
PS: [3] and [4] could be read as systemd rants. I won't say they are,
but won't object if someone understands them in that way ;-)
[1] the script content still can (and will [2]) be changed, but I expect
the name /usr/sbin/aa-teardown to be set into stone ;-)
[2] to get started quickly, I'll use a as-simple-as-possible script, but
I'm sure that this won't be the final solution.
[3] I could easily have made that one a CVE, but a) that would be evil
and b) AFAIK upstream systemd doesn't really care about CVE numbers
and scores [4].
[4] http://blog.koehntopp.info/index.php/2146-not-a-bug-version-9-8/
shows one of the better-known examples
--
> > > Ich _habe_ einen vernünftigen Mailer!
> > Und warum benutzt Du ihm nicht?
> Mach ich gerade.
Komisch, bei mir wird angezeigt, daß Du KMail benutzt.
[> Manfred Misch und Bernd Brodesser in suse-linux]
signature.asc
Description: This is a digitally signed message part.
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
