Hello,
Am Sonntag, 22. Mai 2016, 20:24:53 CEST schrieb Martin Pitt:
> Christian Boltz [2016-05-22 16:18 +0200]:
> > "start" means loading the profiles and applying the confinement to
> > _newly started_ profiles.
> >
> > This also means that _already running_ processes won't be
> > (re)confined [1], which translates a small typo done by the admin
> > ("systemctl restart apparmor" instead of "systemctl reload
> > apparmor") to leaving lots of processes unconfined and turns that
> > accidential use of "restart" into a security risk.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > This is why I need to override the "restart" behaviour so that it
> > reloads the profiles while keeping running processes confined.
> >
> > The easiest solution would be an ExecRestart= directive in the
> > service file, but unfortunately this isn't available.
>
> But ExecReload= is available, isn't that enough?
Not really.
I'm already using ExecReload= to reload the profiles (works fine), and
hope all users actually read the documentation and use reload (and avoid
restart).
Please read the paragraph above the ^^^ marker again.
The problem is what happens when someone accidently uses restart.
TL;DR: the stop/start restart behaviour removes confinement from running
processes, thus making the system less secure/protected.
So to make things secure and DAU-proof [1], I need one of
- ExecRestart= (that would be the best option)
- a way that prevents usage of restart (is there any?) or
- ExecStop=echo "systemd broke this" (worst option)
May I ask the other way round?
systemd already has lots of directives to cover corner cases, so why do
several people reject the idea that it should be possible to override
the default restart behaviour?
Regards,
Christian Boltz
[1] DAU is a german term for "Dümmster anzunehmender User" (most silly
user you can imagine)
--
> Thanks, this means a lot of people will continue to have the current
> version installed "until the end of time",even once it becomes
> horribly insecure. :(
Dude, it's flash, it's been horribly insecure since the beginning of
time ;) [> Robert Kaiser and Richard Brown in opensuse-factory]
_______________________________________________
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
