need a common helper for AppArmor profile loading

Bug #692801 reported by Kees Cook
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
upstart (Ubuntu)
Fix Released
Undecided
Unassigned
Natty
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: upstart

Right now, to optimize AppArmor profile loading, each service that has a profile loads it during its "pre-start script" stanza. However, the logic for handling whether or not AppArmor exists, is loaded, etc, needs to be handled in a common way so that as it evolves, it can change in a single place, rather than changing every service's job files.

Since AppArmor may not actually be installed, the helper cannot live in any of the apparmor packages itself. And since AppArmor being missing is not considered a problem (perhaps they are using SELinux), the helper needs to live in the Upstart package. Without this, there's no sane way to do per-service profile loading, and we're back to doing a monolithic all-profile load that every job has to wait on (and means low early-boot parallelism for these services).

As an example, mysql would replace these lines:
    # Load AppArmor profile
    if aa-status --enabled 2>/dev/null; then
        apparmor_parser -r /etc/apparmor.d/usr.sbin.mysqld || true
    fi
with:
    /lib/init/apparmor-profile-load usr.sbin.mysqld
which would mean no longer requiring the heavy perl loading test from "aa-status".

This would also allow us to get cups back to confinement (see bug 690040).

How does the attached patch seem?

Tags: patch

Related branches

Revision history for this message
Kees Cook (kees) wrote :
Changed in upstart (Ubuntu):
milestone: none → natty-alpha-2
Changed in upstart (Ubuntu Natty):
status: New → In Progress
tags: added: patch
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package upstart - 0.6.7-2

---------------
upstart (0.6.7-2) natty; urgency=low

  * debian/apparmor-profile-load: common AppArmor profile loading helper
    which can be used by any upstart services, regardless of the state
    of AppArmor (LP: #692801).
 -- Kees Cook <email address hidden> Mon, 20 Dec 2010 16:03:33 -0800

Changed in upstart (Ubuntu Natty):
status: In Progress → Fix Released
no longer affects: upstart (Ubuntu Maverick)
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.