Control: tag -1 + patch Hi,
intrigeri wrote (23 Sep 2014 17:01:21 GMT) : > Michael Biebl wrote (23 Sep 2014 11:59:22 GMT) : >>> a) I don't see any dependency automatically added on libapparmor1, and >>> I've no idea which binary package exactly should have it. Any hint? >> Did you add "--enable-apparmor" to the configure flags? I tried it, and indeed the binary systemd package now Depends: libapparmor1 (>= 2.6~devel). Thanks! So, only problem (b) remains. I was able to workaround it by commenting out these directives in the unit file: ReadOnlyDirectories = / ReadWriteDirectories = /var/lib/tor ReadWriteDirectories = /var/log/tor ReadWriteDirectories = /var/run/tor Note that for some reason, leaving this directive in is not a problem, though: InaccessibleDirectories = /home And adding these directives works too: ProtectSystem = full ProtectHome = yes To make sure this problem wasn't caused by the old apparmor package we have, I've prepared a 2.8.96~2652-1 apparmor package yesterday, which is now in experimental, and rebuilt systemd against it. Then, I've tested the resulting systemd packages on a system that has apparmor 2.8.96~2652-1 from experimental, and I see the same problem, the and same workaround applies. Should we take this problem upstream? I've not subscribed to the systemd ML, and never interacted with them yet, so I'd rather see you do that. Still, if you can't or don't want to do it, I guess I can try to find time to learn how to communicate with yet another friendly upstream community... during the Jessie+1 dev cycle. In any case: * According to codesearch, there's exactly zero unit file in Debian currently that uses AppArmorProfile= (not a surprise, considering systemd doesn't support it in Debian yet), let alone combined with Read{Only,Write}Directories. * As far as the Tor unit file is concerned, the Read{Only,Write}Directories directives are not part of the unit file shipped upstream in the version (0.2.5.x) that will be in Jessie, so that's not a real problem yet, and we can add AppArmorProfile= in there. These directories are in Tor 0.2.6.x, though, so we'll have to handle it somehow for Jessie+1. So, I don't think that the problem I'm seeing here is a blocker for enabling AppArmor support in systemd. The attached patch implements this. Once something like this is applied, I'll clone this bug report to track the remaining problems. Cheers, -- intrigeri
>From 6157f1c74e55189cf663904bef429b36dcc2a48f Mon Sep 17 00:00:00 2001 From: intrigeri <intrig...@debian.org> Date: Tue, 23 Sep 2014 04:57:13 +0000 Subject: [PATCH] Enable AppArmor support (Closes: #760526) - add build-dependency on libapparmor-dev - add --enable-apparmor to the configure flags --- debian/control | 1 + debian/rules | 1 + 2 files changed, 2 insertions(+) diff --git a/debian/control b/debian/control index f27beb9..3c02037 100644 --- a/debian/control +++ b/debian/control @@ -21,6 +21,7 @@ Build-Depends: debhelper (>= 9), autoconf (>= 2.63), intltool, gperf, + libapparmor-dev, libcap-dev, libpam0g-dev, libaudit-dev, diff --git a/debian/rules b/debian/rules index 5a0b8c3..d371d72 100755 --- a/debian/rules +++ b/debian/rules @@ -25,6 +25,7 @@ CONFFLAGS = \ --disable-microhttpd \ --disable-sysusers \ --disable-silent-rules \ + --enable-apparmor \ --with-ntp-servers="0.debian.pool.ntp.org 1.debian.pool.ntp.org 2.debian.pool.ntp.org 3.debian.pool.ntp.org" \ --with-system-uid-max=999 \ --with-system-gid-max=999 -- 2.1.1