[Touch-packages] [Bug 1385414] Re: provide systemd compatible cache loading library
** Changed in: systemd (Ubuntu) Status: Triaged => Invalid -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1385414 Title: provide systemd compatible cache loading library Status in AppArmor: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Invalid Bug description: This tracks the work related to moving AppArmor to systemd in support of bug 1379542. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1385414/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
Re: [Touch-packages] [Bug 1385414] Re: provide systemd compatible cache loading library
On 06/30/2017 07:52 PM, Seth Arnold wrote: > Hello intrigeri, this one is a bit involved. > > As it is systemd's support for AppArmor is to issue a change_profile > call before executing a unit's executable. This requires the profile to > already be loaded, which currently means a pre-task that calls > apparmor_parser on the profile or waiting to run until after an apparmor > unit file completes loading all profiles. > > The parser currently knows how to drive the cache, invalidate it if any > of the files involved in defining the profile are modified, etc. But > it'd be nice if this functionality were exposed via a library that > systemd could use so that it could compile (and cache) the policy if > needed, it could load a cached policy if one exists and isn't stale. > AppArmomr does provide a library interface to the cache and loading, it does not however provide a library interface to compiling policy. man aa_policy_cache will give you documentation for aa_policy_cache - an opaque object representing an AppArmor policy cache aa_policy_cache_new - create a new aa_policy_cache object from a path aa_policy_cache_ref - increments the ref count of an aa_policy_cache object aa_policy_cache_unref - decrements the ref count and frees the aa_policy_cache object when 0 aa_policy_cache_remove - removes all policy cache files under a path aa_policy_cache_replace_all - performs a kernel policy replacement of all cached policies and man aa_kernel_interface aa_kernel_interface - an opaque object representing the AppArmor kernel interface for policy loading, replacing, and removing aa_kernel_interface_new - create a new aa_kernel_interface object from an optional path aa_kernel_interface_ref - increments the ref count of an aa_kernel_interface object aa_kernel_interface_unref - decrements the ref count and frees the aa_kernel_interface object when 0 aa_kernel_interface_load_policy - load a policy from a buffer into the kernel aa_kernel_interface_load_policy_from_file - load a policy from a file into the kernel aa_kernel_interface_load_policy_from_fd - load a policy from a file descriptor into the kernel aa_kernel_interface_replace_policy - replace a policy in the kernel with a policy from a buffer aa_kernel_interface_replace_policy_from_file - replace a policy in the kernel with a policy from a file aa_kernel_interface_replace_policy_from_fd - replace a policy in the kernel with a policy from a file descriptor aa_kernel_interface_remove_policy - remove a policy from the kernel aa_kernel_interface_write_policy - write a policy to a file descriptor the compile part will eventually come as a library but is far less useful and systemd should just call the external policy compiler if policy is stale. > Since different tools own different AppArmor policies (init scripts own > /etc/apparmor.d/, snapd owns snapd policy, libvirt owns libvirt policy, > docker owns docker policy, etc) this may need some effort to determine > what we really want it to do. > yes this is a problem, generally we have been taking the approach that if the packaging drops the profile in the apparmor.d/ directory or other directories set in /etc/apparmor/parser.conf apparmor will load/reload it. If they choose to store policy in another location (snappy, lxd, ...) they are responsible for loading/managing that part of the policy. Basically if you want apparmor to manage/load the policy it needs to know where it is. Otherwise you are on your own. > I hope this helps. Thanks. > -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1385414 Title: provide systemd compatible cache loading library Status in AppArmor: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Triaged Bug description: This tracks the work related to moving AppArmor to systemd in support of bug 1379542. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1385414/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1385414] Re: provide systemd compatible cache loading library
Thanks! So we still need an AppArmor task, not just a systemd one, right? (My question came up because all the AppArmor tasks are marked as "Fix released", and thus I thought the only remaining thing to do is on the systemd side, but your answer suggests that's not actually the case.) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1385414 Title: provide systemd compatible cache loading library Status in AppArmor: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Triaged Bug description: This tracks the work related to moving AppArmor to systemd in support of bug 1379542. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1385414/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1385414] Re: provide systemd compatible cache loading library
Sigh. https://xkcd.com/386/ on myself. The parser just checks for mtime newer than the cache, not changes. Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1385414 Title: provide systemd compatible cache loading library Status in AppArmor: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Triaged Bug description: This tracks the work related to moving AppArmor to systemd in support of bug 1379542. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1385414/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1385414] Re: provide systemd compatible cache loading library
Hello intrigeri, this one is a bit involved. As it is systemd's support for AppArmor is to issue a change_profile call before executing a unit's executable. This requires the profile to already be loaded, which currently means a pre-task that calls apparmor_parser on the profile or waiting to run until after an apparmor unit file completes loading all profiles. The parser currently knows how to drive the cache, invalidate it if any of the files involved in defining the profile are modified, etc. But it'd be nice if this functionality were exposed via a library that systemd could use so that it could compile (and cache) the policy if needed, it could load a cached policy if one exists and isn't stale. Since different tools own different AppArmor policies (init scripts own /etc/apparmor.d/, snapd owns snapd policy, libvirt owns libvirt policy, docker owns docker policy, etc) this may need some effort to determine what we really want it to do. I hope this helps. Thanks. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1385414 Title: provide systemd compatible cache loading library Status in AppArmor: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Triaged Bug description: This tracks the work related to moving AppArmor to systemd in support of bug 1379542. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1385414/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1385414] Re: provide systemd compatible cache loading library
I could ask for help to the person who implemented the initial AppArmor support in systemd. But first I would need a clearer task description than "Add systemd task since it needs an update to make it use the cache loading library". What exactly do we need systemd to do? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1385414 Title: provide systemd compatible cache loading library Status in AppArmor: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Triaged Bug description: This tracks the work related to moving AppArmor to systemd in support of bug 1379542. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1385414/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1385414] Re: provide systemd compatible cache loading library
This bug was fixed in the package apparmor - 2.10-0ubuntu2 --- apparmor (2.10-0ubuntu2) wily; urgency=medium * debian/patches/aa-status-dont_require_python3-apparmor.patch: make aa-status(8) work even when python3-apparmor is not installed, otherwise dh_apparmor postinst snippets can fail (LP: #1480492) * debian/control: make apparmor-utils depend on the same package version of python3-apparmor -- Steve Beattie Fri, 31 Jul 2015 16:35:03 -0700 ** Changed in: apparmor (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1385414 Title: provide systemd compatible cache loading library Status in AppArmor: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Triaged Bug description: This tracks the work related to moving AppArmor to systemd in support of bug 1379542. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1385414/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1385414] Re: provide systemd compatible cache loading library
** Branch linked: lp:ubuntu/wily-proposed/apparmor -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1385414 Title: provide systemd compatible cache loading library Status in AppArmor: Fix Released Status in apparmor package in Ubuntu: Confirmed Status in systemd package in Ubuntu: Triaged Bug description: This tracks the work related to moving AppArmor to systemd in support of bug 1379542. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1385414/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1385414] Re: provide systemd compatible cache loading library
AppArmor 2.10 has been released: https://launchpad.net/apparmor/2.10/2.10 ** Changed in: apparmor Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1385414 Title: provide systemd compatible cache loading library Status in AppArmor: Fix Released Status in apparmor package in Ubuntu: Confirmed Status in systemd package in Ubuntu: Triaged Bug description: This tracks the work related to moving AppArmor to systemd in support of bug 1379542. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1385414/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1385414] Re: provide systemd compatible cache loading library
** Changed in: apparmor Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1385414 Title: provide systemd compatible cache loading library Status in AppArmor: Fix Committed Status in apparmor package in Ubuntu: Confirmed Status in systemd package in Ubuntu: Triaged Bug description: This tracks the work related to moving AppArmor to systemd in support of bug 1379542. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1385414/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1385414] Re: provide systemd compatible cache loading library
** Changed in: apparmor Milestone: None => 2.10 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1385414 Title: provide systemd compatible cache loading library Status in AppArmor Linux application security framework: In Progress Status in apparmor package in Ubuntu: Confirmed Status in systemd package in Ubuntu: Triaged Bug description: This tracks the work related to moving AppArmor to systemd in support of bug 1379542. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1385414/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1385414] Re: provide systemd compatible cache loading library
As for tracking systemd bugs I'd like to reduce importance, as we have bug 1438249 for tracking the fallback for vivid. So this is mostly optimization now, it shouldn't make a difference security wise, right? Please set back to High if I misunderstood this. Thanks! ** Changed in: systemd (Ubuntu) Status: Confirmed => Triaged ** Changed in: systemd (Ubuntu) Importance: High => Medium -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1385414 Title: provide systemd compatible cache loading library Status in AppArmor Linux application security framework: In Progress Status in apparmor package in Ubuntu: Confirmed Status in systemd package in Ubuntu: Triaged Bug description: This tracks the work related to moving AppArmor to systemd in support of bug 1379542. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1385414/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1385414] Re: provide systemd compatible cache loading library
Added upstream task since that is what is in progress. Set Ubuntu task to Confirmed. Add systemd task since it needs an update to make it use the cache loading library. ** Also affects: apparmor Importance: Undecided Status: New ** Changed in: apparmor Status: New => In Progress ** Changed in: apparmor Importance: Undecided => High ** Changed in: apparmor Assignee: (unassigned) => Tyler Hicks (tyhicks) ** Changed in: apparmor Importance: High => Critical ** Changed in: apparmor (Ubuntu) Status: In Progress => Confirmed ** Also affects: systemd (Ubuntu) Importance: Undecided Status: New ** Changed in: systemd (Ubuntu) Status: New => Confirmed ** Changed in: systemd (Ubuntu) Importance: Undecided => High ** Changed in: systemd (Ubuntu) Milestone: None => later ** Changed in: apparmor (Ubuntu) Milestone: None => later -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1385414 Title: provide systemd compatible cache loading library Status in AppArmor Linux application security framework: In Progress Status in apparmor package in Ubuntu: Confirmed Status in systemd package in Ubuntu: Confirmed Bug description: This tracks the work related to moving AppArmor to systemd in support of bug 1379542. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1385414/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
