Hi, intrigeri wrote (09 Sep 2014 00:14:30 GMT) : > So: yes, please. I've been waiting for it eagerly, and will submit > patches to the Tor upstream unit file as soon as Debian's systemd > supports this option.
I really want this to land in time for Jessie, so I've given it a try: 1. added libapparmor-dev to build-depends 2. the current apparmor package in Debian lacked pkg-config support, and thus the systemd build systemd did not detect it, so: 3. uploaded apparmor 2.8.0-8 with pkg-config support 4. now systemd builds fine, with AppArmor support according to the build log. Woohoo, first milestone reached! :) Remaining problems: a) I don't see any dependency automatically added on libapparmor1, and I've no idea which binary package exactly should have it. Any hint? b) The AppArmor support actually doesn't work for me. With the attached unit file for Tor (i.e. the upstream one, slightly adjusted for Debian), after un-commenting the AppArmorProfile directive, running `systemctl --system daemon-reload', and trying to restart the service, it fails to start. Status: ● tor.service - Anonymizing overlay network for TCP Loaded: loaded (/etc/systemd/system/tor.service; disabled) Active: failed (Result: start-limit) since Mon 2014-09-22 23:31:52 PDT; 3s ago Process: 24186 ExecStartPre=/usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc --verify-config (code=exited, status=231/APPARMOR) Main PID: 26773 (code=exited, status=0/SUCCESS) Sep 22 23:31:52 ensifera systemd[1]: Unit tor.service entered failed state. Sep 22 23:31:52 ensifera systemd[1]: tor.service start request repeated too quickly, refusing to start. Sep 22 23:31:52 ensifera systemd[1]: Failed to start Anonymizing overlay network for TCP. Sep 22 23:31:52 ensifera systemd[1]: Unit tor.service entered failed state. zsh: exit 3 sudo service tor status The "status=231/APPARMOR" seems to contain (the beginning of) an explanation, but I'm no C programmer, so diving into the source code to understand what it can possibly mean is a bit outside of my comfort zone. Note that the system_tor AppArmor profile *is* loaded in the kernel, confirmed with aa-status. Note that the version of the AppArmor userspace we're carrying in Debian currently is a bit old, and it might be that the AppArmor support in systemd was only tested with a newer version. If I find a slot on my copious free time in the next days or weeks, I'll try to reproduce this problem with the latest upstream version. Cheers, -- intrigeri
[Unit] Description = Anonymizing overlay network for TCP After = syslog.target network.target nss-lookup.target [Service] Type = simple ExecStartPre = /usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc --verify-config # A torrc that has "RunAsDaemon 1" won't work with the "simple" service type; # let's explicitly override it. ExecStart = /usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc --RunAsDaemon 0 ExecReload = /bin/kill -HUP ${MAINPID} KillSignal = SIGINT TimeoutSec = 30 Restart = on-failure LimitNOFILE = 32768 # Hardening PrivateTmp = yes DeviceAllow = /dev/null rw DeviceAllow = /dev/urandom r InaccessibleDirectories = /home ReadOnlyDirectories = / ReadWriteDirectories = /var/lib/tor ReadWriteDirectories = /var/log/tor ReadWriteDirectories = /var/run/tor NoNewPrivileges = yes #AppArmorProfile = system_tor [Install] WantedBy = multi-user.target
_______________________________________________ Pkg-systemd-maintainers mailing list Pkg-systemd-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-systemd-maintainers