On 08/14/2014 08:03 PM, Aaron Lewis wrote: > Hey just to clarify why I'm doing that explicitly in the systemd profile. > > Loading a bunch of profile is extremely slow so this has to run after Actually it isn't, compiling the profiles is slow but we can load a couple thousand profiles in a few seconds (depends on the system).
What we need to do is be able to ensure that there is always a valid profile to load, so that at early boot something can be loaded without a compile Part of achieving this is improving the cache so it can keep multiple versions around. These patches are a wip progress and I expect they will surface on the list soon. The other part of this work is to split the cache routines out from the parser into a library so that systemd can link against it. This is a little further out but scheduled to happen soon too. > system boot (after X I mean, I use autologin + startx) > And in the meanwhile, some services like NetworkManager and nscd need > to be enforced before it starts. > > So I had to add an ExecPre to fix that. If I don't, it would end up > "The binary has a profile defined but running unconfined" blabla > yeah, ubuntu has a split load atm where it does an early profile load for a select few profiles, and then it does a generic reload > > On Tue, Aug 12, 2014 at 4:23 PM, intrigeri <[email protected]> wrote: >> Hi, >> >> Christian Boltz wrote (11 Aug 2014 21:53:40 GMT) : >>> It looks unnecessary to me - the dependencies should already enforce >>> loading all AppArmor profiles before any daemons are started (at least >>> it works on openSUSE that way). >> >> ... and, if a given system-wide daemon needs a specific profile that >> doesn't match the program's path (e.g. see system_tor in Debian), then >> systemd v210 adds support for running that service with an explicitly >> defined profile. >> >>> That all said - currently I use the good old initscript even with >>> systemd. Having a systemd unit to load all profiles would be nice (and >>> would solve some annoying problems) - is someone interested in writing >>> one? ;-) >> >> There's been discussion about it on the systemd ML ~2-3 months ago, >> and also on #apparmor at about the same time, but IIRC nobody summed >> up this discussion on the list. IIRC, Marc Deslauriers, among others, >> had interesting ideas on this topic. I think one of the key points >> here is how to early load those profiles that really need it, e.g. >> things that Ubuntu loads via Upstart (dhcp client, ntp). >> >> Cheers, >> -- >> intrigeri >> >> -- >> AppArmor mailing list >> [email protected] >> Modify settings or unsubscribe at: >> https://lists.ubuntu.com/mailman/listinfo/apparmor > > > -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
