need a common helper for AppArmor profile loading
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
upstart (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Natty |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: upstart
Right now, to optimize AppArmor profile loading, each service that has a profile loads it during its "pre-start script" stanza. However, the logic for handling whether or not AppArmor exists, is loaded, etc, needs to be handled in a common way so that as it evolves, it can change in a single place, rather than changing every service's job files.
Since AppArmor may not actually be installed, the helper cannot live in any of the apparmor packages itself. And since AppArmor being missing is not considered a problem (perhaps they are using SELinux), the helper needs to live in the Upstart package. Without this, there's no sane way to do per-service profile loading, and we're back to doing a monolithic all-profile load that every job has to wait on (and means low early-boot parallelism for these services).
As an example, mysql would replace these lines:
# Load AppArmor profile
if aa-status --enabled 2>/dev/null; then
fi
with:
/lib/
which would mean no longer requiring the heavy perl loading test from "aa-status".
This would also allow us to get cups back to confinement (see bug 690040).
How does the attached patch seem?
This bug was fixed in the package upstart - 0.6.7-2
---------------
upstart (0.6.7-2) natty; urgency=low
* debian/ apparmor- profile- load: common AppArmor profile loading helper
which can be used by any upstart services, regardless of the state
of AppArmor (LP: #692801).
-- Kees Cook <email address hidden> Mon, 20 Dec 2010 16:03:33 -0800