please provide upstart job for apparmor
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apparmor (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Trusty |
Fix Released
|
Undecided
|
Unassigned | ||
Utopic |
Fix Released
|
High
|
Unassigned |
Bug Description
AppArmor has a complicated multi-stage policy load process that has evolved over time. It consists of:
- /etc/init/
- /etc/init/
- apparmor integration into upstart jobs
- an rcS sysv init script
In addition to being complicated, there are a several problems:
- if a login session occurs before rcS is run, applications may start and run unconfined
- if apparmor-profiles is installed, then daemons with profiles defined may start and run unconfined
- an administer adding apparmor policy for daemons must also adjust the upstart job for the daemon
Historically we did not use an upstart job because it would block boot and affect boot performance. Blocking boot on policy load is actually a feature because it ensures that the policy is in place before anything is started. The boot performance issue was solved long ago when we introduced binary cached profiles. In today's upstart world, rcS is intended to run prior login anyway, so converted the initscript to an upstart job should not affect boot performance. There have also been bugs in the multi-stage policy load that allowed policy load to happen too late with applications starting before policy load.
The security and foundations teams feel there is a better way and that we can achieve everything with a single upstart task (see attached). In essence, the task does 'start on mounted MOUNTPOINT="/"'. Because it is a task, it will block until it completes. The script will do the various checks to make sure apparmor should load policy, conditionally regenerate click policy then load it into the kernel and load all system policy.
If done correctly, this should allow us to remove the network-
1. save the job as /etc/init/
2. disable the click-apparmor job with: sudo sh -c "echo manual > /etc/init/
3. disable the network-
4. add 'exit 0' to the top of /etc/init.
This should actually slightly improve boot time since less shell code is being run with the simplified policy load. 14.10 will also support precompiling apparmor policy in kernel postinst and touch image generation to ensure that the cache is available on first boot to further improve (first) boot speeds.
Related branches
description: | updated |
Changed in apparmor (Ubuntu Trusty): | |
status: | New → Triaged |
Changed in apparmor (Ubuntu Trusty): | |
status: | Triaged → Won't Fix |
Changed in apparmor (Ubuntu Utopic): | |
importance: | Undecided → High |
tags: | added: rtm14 |
tags: | added: application-confinement |
See bug #1298539 for previous discussion.