Re: [systemd-devel] [PATCH] Add AppArmor profile switching
Le vendredi 21 février 2014 à 03:48 +0100, Lennart Poettering a écrit : On Thu, 20.02.14 16:19, m...@zarb.org (m...@zarb.org) wrote: From: Michael Scherer m...@zarb.org This permit to switch to a specific apparmor profile when starting a daemon. This will result in a non operation if apparmor is disabled. It also add a new build requirement on libapparmor for using this feature. Applied! I made some changes though, there were some missing bits to make sure the config hookup works correctly. I don't have any apparmor available though. Could you check if everything works correctly? I will, I do have a opensuse VM for that, and I think intrigeri in CC, likely does too. I figure the only missing bit to get apparmor up to the same level of support in systemd as SELinux, SMACK and IMA have would be policy uploading during early boot. Yeah, but this requires call to a external binary, I was wondering is using some unit wouldn't be enough. Upstart also do provides a way to load a policy specificied in a job, which is maye something we could support, like on demand module loading for selinux . What do people think about it ? ( for on demand loading of profile/module ) -- Michael Scherer ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH] Add AppArmor profile switching
Hi, Michael Scherer wrote (21 Feb 2014 08:39:12 GMT) : Le vendredi 21 février 2014 à 03:48 +0100, Lennart Poettering a écrit : I don't have any apparmor available though. Could you check if everything works correctly? I will, I do have a opensuse VM for that, and I think intrigeri in CC, likely does too. I'll happily test this (in our upcoming Tor unit file) as soon as we have a version of systemd in Debian, that this patchset cleanly applies to. Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH] Add AppArmor profile switching
On Fri, 21.02.14 09:39, Michael Scherer (m...@zarb.org) wrote: Applied! I made some changes though, there were some missing bits to make sure the config hookup works correctly. I don't have any apparmor available though. Could you check if everything works correctly? I will, I do have a opensuse VM for that, and I think intrigeri in CC, likely does too. I figure the only missing bit to get apparmor up to the same level of support in systemd as SELinux, SMACK and IMA have would be policy uploading during early boot. Yeah, but this requires call to a external binary, I was wondering is using some unit wouldn't be enough. Upstart also do provides a way to Well, MAC policies sound like something one really should upload at a time where no process but PID 1 is around, so that it is guaranteed to apply to every process on the system. Uploading it in a normal unit loads it releatively late and in parallel to other servics. I am happy to add code that uploads the AppArmor policy the same way we upload SELinux, IMA, SMACK, but either this uploading must be so simple that we can easily implement this in our own code (which is the way we went for IMA or SMACK), or they must provide us with some library, but doing this via invoking a binary is something that I don't want to see in systemd upstream. load a policy specificied in a job, which is maye something we could What is different from what we have now with AppArmorProfile=? support, like on demand module loading for selinux . Hmm, on-demand module loading for selinux? What do you mean by that? Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] [PATCH] Add AppArmor profile switching, v3
3rd version of the patch, taking in account the feedback from Lennart. See http://lists.freedesktop.org/archives/systemd-devel/2014-January/015975.html and http://lists.freedesktop.org/archives/systemd-devel/2014-February/016916.html for details ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH] Add AppArmor profile switching
On Thu, 20.02.14 16:19, m...@zarb.org (m...@zarb.org) wrote: From: Michael Scherer m...@zarb.org This permit to switch to a specific apparmor profile when starting a daemon. This will result in a non operation if apparmor is disabled. It also add a new build requirement on libapparmor for using this feature. Applied! I made some changes though, there were some missing bits to make sure the config hookup works correctly. I don't have any apparmor available though. Could you check if everything works correctly? I figure the only missing bit to get apparmor up to the same level of support in systemd as SELinux, SMACK and IMA have would be policy uploading during early boot. Thanks! Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] [PATCH] Add AppArmor profile switching
From: Michael Scherer m...@zarb.org
This permit to switch to a specific apparmor profile when starting a daemon.
This
will result in a non operation if apparmor is disabled.
It also add a new build requirement on libapparmor for using this feature.
---
Makefile.am | 2 ++
configure.ac | 13 ++
man/systemd.exec.xml | 13 ++
src/core/build.h | 8 +-
src/core/dbus-execute.c | 19 ++
src/core/execute.c| 23
src/core/execute.h| 3 +++
src/core/load-fragment-gperf.gperf.m4 | 3 +++
src/core/load-fragment.c | 49 +++
src/core/load-fragment.h | 1 +
src/shared/exit-status.c | 3 +++
src/shared/exit-status.h | 3 ++-
12 files changed, 138 insertions(+), 2 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index c71367d..4ac2122 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1016,6 +1016,7 @@ libsystemd_core_la_CFLAGS = \
$(AUDIT_CFLAGS) \
$(CAP_CFLAGS) \
$(KMOD_CFLAGS) \
+ $(APPARMOR_CFLAGS) \
$(SECCOMP_CFLAGS) \
-pthread
@@ -1031,6 +1032,7 @@ libsystemd_core_la_LIBADD = \
$(AUDIT_LIBS) \
$(CAP_LIBS) \
$(KMOD_LIBS) \
+ $(APPARMOR_CFLAGS) \
$(SECCOMP_LIBS)
if HAVE_SECCOMP
diff --git a/configure.ac b/configure.ac
index 05ee098..2521741 100644
--- a/configure.ac
+++ b/configure.ac
@@ -385,6 +385,18 @@ if test x$enable_selinux != xno; then
fi
AM_CONDITIONAL(HAVE_SELINUX, [test $have_selinux = yes])
+have_apparmor=no
+AC_ARG_ENABLE(apparmor, AS_HELP_STRING([--disable-apparmor], [Disable optional
AppArmor support]))
+if test x$enable_apparmor != xno; then
+PKG_CHECK_MODULES([APPARMOR], [libapparmor],
+[AC_DEFINE(HAVE_APPARMOR, 1, [Define if AppArmor is
available]) have_apparmor=yes], have_apparmor=no)
+if test x$have_apparmor = xno -a x$enable_apparmor = xyes; then
+AC_MSG_ERROR([*** AppArmor support requested but libraries not
found])
+fi
+fi
+AM_CONDITIONAL(HAVE_APPARMOR, [test $have_apparmor = yes])
+
+
AC_ARG_WITH(debug-shell,
AS_HELP_STRING([--with-debug-shell=PATH],
[Path to debug shell binary]),
@@ -1110,6 +1122,7 @@ AC_MSG_RESULT([
PAM: ${have_pam}
AUDIT: ${have_audit}
IMA: ${have_ima}
+AppArmor:${have_apparmor}
SELinux: ${have_selinux}
SECCOMP: ${have_seccomp}
SMACK: ${have_smack}
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 7dbe05d..1983993 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -968,6 +968,19 @@
/varlistentry
varlistentry
+
termvarnameAppArmorProfile=/varname/term
+
+listitemparaTake a profile name as
argument.
+The process executed by the unit will switch to
+this profile when started. Profiles must
already
+be loaded in the kernel, or the unit will fail.
+This result in a non operation if AppArmor is
not
+enabled. If prefixed by literal-/literal,
all errors
+will be ignored.
+/para/listitem
+/varlistentry
+
+varlistentry
termvarnameIgnoreSIGPIPE=/varname/term
listitemparaTakes a boolean
diff --git a/src/core/build.h b/src/core/build.h
index c8117ed..3d7cd3e 100644
--- a/src/core/build.h
+++ b/src/core/build.h
@@ -45,6 +45,12 @@
#define _SELINUX_FEATURE_ -SELINUX
#endif
+#ifdef HAVE_APPARMOR
+#define _APPARMOR_FEATURE_ +APPARMOR
+#else
+#define _APPARMOR_FEATURE_ -APPARMOR
+#endif
+
#ifdef HAVE_IMA
#define _IMA_FEATURE_ +IMA
#else
@@ -87,4 +93,4 @@
#define _SECCOMP_FEATURE_ -SECCOMP
#endif
-#define SYSTEMD_FEATURES _PAM_FEATURE_ _LIBWRAP_FEATURE_
_AUDIT_FEATURE_ _SELINUX_FEATURE_ _IMA_FEATURE_ _SYSVINIT_FEATURE_
_LIBCRYPTSETUP_FEATURE_ _GCRYPT_FEATURE_ _ACL_FEATURE_
_XZ_FEATURE_ _SECCOMP_FEATURE_
+#define SYSTEMD_FEATURES _PAM_FEATURE_ _LIBWRAP_FEATURE_
_AUDIT_FEATURE_ _SELINUX_FEATURE_ _IMA_FEATURE_ _SYSVINIT_FEATURE_
_LIBCRYPTSETUP_FEATURE_ _GCRYPT_FEATURE_ _ACL_FEATURE_
_XZ_FEATURE_ _SECCOMP_FEATURE_ _APPARMOR_FEATURE_
diff --git a/src/core/dbus-execute.c b/src/core/dbus-execute.c
index 41dbbab..935c62b 100644
--- a/src/core/dbus-execute.c
+++ b/src/core/dbus-execute.c
@@ -482,6 +482,24 @@ static int
[systemd-devel] [PATCH] Add AppArmor profile switching
This permit to switch to a specific apparmor profile when starting a daemon.
This
will result in a non operation if apparmor is disabled.
It also add a new build requirement on libapparmor for using this feature.
---
Makefile.am | 7 +++
configure.ac | 13 +
man/systemd.exec.xml | 13 +
src/core/build.h | 8 +++-
src/core/dbus-execute.c | 1 +
src/core/execute.c| 30 ++
src/core/execute.h| 2 ++
src/core/load-fragment-gperf.gperf.m4 | 3 ++-
src/shared/exit-status.c | 3 +++
src/shared/exit-status.h | 3 ++-
10 files changed, 80 insertions(+), 3 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 79c49e6..79d355c 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -776,6 +776,13 @@ libsystemd_shared_la_SOURCES += \
src/shared/seccomp-util.c
endif
+libsystemd_shared_la_CFLAGS = \
+ $(AM_CFLAGS) \
+ $(APPARMOR_CFLAGS)
+
+libsystemd_shared_la_LIBADD = \
+ $(APPARMOR_LIBS)
+
#
--
noinst_LTLIBRARIES += \
libsystemd-units.la
diff --git a/configure.ac b/configure.ac
index 48d63e8..38dfa91 100644
--- a/configure.ac
+++ b/configure.ac
@@ -382,6 +382,18 @@ if test x$enable_selinux != xno; then
fi
AM_CONDITIONAL(HAVE_SELINUX, [test $have_selinux = yes])
+have_apparmor=no
+AC_ARG_ENABLE(apparmor, AS_HELP_STRING([--disable-apparmor], [Disable optional
AppArmor support]))
+if test x$enable_apparmor != xno; then
+PKG_CHECK_MODULES([APPARMOR], [libapparmor],
+[AC_DEFINE(HAVE_APPARMOR, 1, [Define if AppArmor is
available]) have_apparmor=yes], have_apparmor=no)
+if test x$have_apparmor = xno -a x$enable_apparmor = xyes; then
+AC_MSG_ERROR([*** AppArmor support requested but libraries not
found])
+fi
+fi
+AM_CONDITIONAL(HAVE_APPARMOR, [test $have_apparmor = yes])
+
+
AC_ARG_WITH(debug-shell,
AS_HELP_STRING([--with-debug-shell=PATH],
[Path to debug shell binary]),
@@ -1104,6 +1116,7 @@ AC_MSG_RESULT([
PAM: ${have_pam}
AUDIT: ${have_audit}
IMA: ${have_ima}
+AppArmor:${have_apparmor}
SELinux: ${have_selinux}
SECCOMP: ${have_seccomp}
SMACK: ${have_smack}
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 01356e4..262638d 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -968,6 +968,19 @@
/varlistentry
varlistentry
+
termvarnameAppArmorProfile=/varname/term
+
+listitemparaTake a profile name as
argument.
+The process executed by the unit will switch to
+this profile when started. Profiles must
already
+be loaded in the kernel, or the unit will fail.
+This result in a non operation if AppArmor is
not
+enabled. If prefixed by literal-/literal,
all errors
+will be ignored.
+/para/listitem
+/varlistentry
+
+varlistentry
termvarnameIgnoreSIGPIPE=/varname/term
listitemparaTakes a boolean
diff --git a/src/core/build.h b/src/core/build.h
index f04f03f..3d7cd3e 100644
--- a/src/core/build.h
+++ b/src/core/build.h
@@ -45,6 +45,12 @@
#define _SELINUX_FEATURE_ -SELINUX
#endif
+#ifdef HAVE_APPARMOR
+#define _APPARMOR_FEATURE_ +APPARMOR
+#else
+#define _APPARMOR_FEATURE_ -APPARMOR
+#endif
+
#ifdef HAVE_IMA
#define _IMA_FEATURE_ +IMA
#else
@@ -87,4 +93,4 @@
#define _SECCOMP_FEATURE_ -SECCOMP
#endif
-#define SYSTEMD_FEATURES _PAM_FEATURE_ _LIBWRAP_FEATURE_
_AUDIT_FEATURE_ _SELINUX_FEATURE_ _IMA_FEATURE_ _SYSVINIT_FEATURE_
_LIBCRYPTSETUP_FEATURE_ _GCRYPT_FEATURE_ _ACL_FEATURE_
_XZ_FEATURE_ _SECCOMP_FEATURE_
+#define SYSTEMD_FEATURES _PAM_FEATURE_ _LIBWRAP_FEATURE_
_AUDIT_FEATURE_ _SELINUX_FEATURE_ _IMA_FEATURE_ _SYSVINIT_FEATURE_
_LIBCRYPTSETUP_FEATURE_ _GCRYPT_FEATURE_ _ACL_FEATURE_
_XZ_FEATURE_ _SECCOMP_FEATURE_ _APPARMOR_FEATURE_
diff --git a/src/core/dbus-execute.c b/src/core/dbus-execute.c
index a62f517..286ae7d 100644
--- a/src/core/dbus-execute.c
+++ b/src/core/dbus-execute.c
@@ -524,6 +524,7 @@ const sd_bus_vtable bus_exec_vtable[] = {
SD_BUS_PROPERTY(SameProcessGroup, b, bus_property_get_bool,
offsetof(ExecContext, same_pgrp), SD_BUS_VTABLE_PROPERTY_CONST),
Re: [systemd-devel] [PATCH] Add AppArmor profile switching
On Fri, 14.02.14 12:21, Michael Scherer (m...@zarb.org) wrote:
This permit to switch to a specific apparmor profile when starting a daemon.
This
will result in a non operation if apparmor is disabled.
It also add a new build requirement on libapparmor for using this feature.
---
Makefile.am | 7 +++
configure.ac | 13 +
man/systemd.exec.xml | 13 +
src/core/build.h | 8 +++-
src/core/dbus-execute.c | 1 +
src/core/execute.c| 30 ++
src/core/execute.h| 2 ++
src/core/load-fragment-gperf.gperf.m4 | 3 ++-
src/shared/exit-status.c | 3 +++
src/shared/exit-status.h | 3 ++-
10 files changed, 80 insertions(+), 3 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 79c49e6..79d355c 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -776,6 +776,13 @@ libsystemd_shared_la_SOURCES += \
src/shared/seccomp-util.c
endif
+libsystemd_shared_la_CFLAGS = \
+ $(AM_CFLAGS) \
+ $(APPARMOR_CFLAGS)
+
+libsystemd_shared_la_LIBADD = \
+ $(APPARMOR_LIBS)
+
Why is this in libsystemd-shared? This really should be added to the
core la, not shared... Or am I missing something?
SD_BUS_PROPERTY(SELinuxContext, s, NULL, offsetof(ExecContext,
selinux_context), SD_BUS_VTABLE_PROPERTY_CONST),
+SD_BUS_PROPERTY(AppArmorProfile, s, NULL,
offsetof(ExecContext, apparmor_profile),
SD_BUS_VTABLE_PROPERTY_CONST),
Hmm, so thinking about this, we should normalize both these options and
turn the s signature into (bs), i.e. a structure made of a bool and
the label, where the bool inidcates whether a non-existing label shall
be ignored or not. We have the same split up when serializing exec
commands, and we should do that here too...
+if (context-apparmor_profile use_apparmor()) {
+char* c = context-apparmor_profile;
+bool ignore = false;
+if (c[0] == '-') {
+c++;
+ignore = true;
Indentation 8 chars please...
+}
+
+err =
aa_change_onexec(context-apparmor_profile);
+if (err 0 !ignore) {
+r = EXIT_APPARMOR;
+goto fail_child;
+}
+}
+#endif
}
@@ -140,6 +140,8 @@ struct ExecContext {
char *selinux_context;
+char *apparmor_profile;
+
Similar as above, I'd like this to be stored normalized, i.e.:
bool selinux_context_ignore;
char *selinux_context;
bool apparmor_profile_ignore;
char *apparmor_profile;
Or similar...
Lennart
--
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH] Add AppArmor profile switching
Le vendredi 14 février 2014 à 12:31 +0100, Lennart Poettering a écrit :
On Fri, 14.02.14 12:21, Michael Scherer (m...@zarb.org) wrote:
This permit to switch to a specific apparmor profile when starting a
daemon. This
will result in a non operation if apparmor is disabled.
It also add a new build requirement on libapparmor for using this feature.
---
Makefile.am | 7 +++
configure.ac | 13 +
man/systemd.exec.xml | 13 +
src/core/build.h | 8 +++-
src/core/dbus-execute.c | 1 +
src/core/execute.c| 30 ++
src/core/execute.h| 2 ++
src/core/load-fragment-gperf.gperf.m4 | 3 ++-
src/shared/exit-status.c | 3 +++
src/shared/exit-status.h | 3 ++-
10 files changed, 80 insertions(+), 3 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 79c49e6..79d355c 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -776,6 +776,13 @@ libsystemd_shared_la_SOURCES += \
src/shared/seccomp-util.c
endif
+libsystemd_shared_la_CFLAGS = \
+ $(AM_CFLAGS) \
+ $(APPARMOR_CFLAGS)
+
+libsystemd_shared_la_LIBADD = \
+ $(APPARMOR_LIBS)
+
Why is this in libsystemd-shared? This really should be added to the
core la, not shared... Or am I missing something?
It did also look weird this morning when I reviewed the patch, but I
trusted more my past-self than my current-self, I will take a look and
send another patch if needed.
SD_BUS_PROPERTY(SELinuxContext, s, NULL, offsetof(ExecContext,
selinux_context), SD_BUS_VTABLE_PROPERTY_CONST),
+SD_BUS_PROPERTY(AppArmorProfile, s, NULL,
offsetof(ExecContext, apparmor_profile),
SD_BUS_VTABLE_PROPERTY_CONST),
Hmm, so thinking about this, we should normalize both these options and
turn the s signature into (bs), i.e. a structure made of a bool and
the label, where the bool inidcates whether a non-existing label shall
be ignored or not. We have the same split up when serializing exec
commands, and we should do that here too...
So, you want a 2nd property SELinuxcontextIgnore/AppArmorProfileIgnore
that would be True when SELinuxContext/AppArmorProfile is prefixed by
'-', or also when SELinux/AppArmor is disabled ?
Also, SELinuxContext would be the context without the leading '-',
correct ?
+if (context-apparmor_profile use_apparmor()) {
+char* c = context-apparmor_profile;
+bool ignore = false;
+if (c[0] == '-') {
+c++;
+ignore = true;
Indentation 8 chars please...
Will do
+}
+
+err =
aa_change_onexec(context-apparmor_profile);
+if (err 0 !ignore) {
+r = EXIT_APPARMOR;
+goto fail_child;
+}
+}
+#endif
}
@@ -140,6 +140,8 @@ struct ExecContext {
char *selinux_context;
+char *apparmor_profile;
+
Similar as above, I'd like this to be stored normalized, i.e.:
bool selinux_context_ignore;
char *selinux_context;
bool apparmor_profile_ignore;
char *apparmor_profile;
Or similar...
So that would requires a custom change to load-fragment.c, so I guess
that's a separate task as we need to apply that to selinuxcontext.
So I will provides the change for SELinuxContext, then once accepted,
send a v3 of the apparmor patch with the code following the style of
SELinuxContext, is this ok ?
--
Michael Scherer
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH] Add AppArmor profile switching
Le vendredi 14 février 2014 à 14:05 +0100, Michael Scherer a écrit : Le vendredi 14 février 2014 à 12:31 +0100, Lennart Poettering a écrit : On Fri, 14.02.14 12:21, Michael Scherer (m...@zarb.org) wrote: SD_BUS_PROPERTY(SELinuxContext, s, NULL, offsetof(ExecContext, selinux_context), SD_BUS_VTABLE_PROPERTY_CONST), +SD_BUS_PROPERTY(AppArmorProfile, s, NULL, offsetof(ExecContext, apparmor_profile), SD_BUS_VTABLE_PROPERTY_CONST), Hmm, so thinking about this, we should normalize both these options and turn the s signature into (bs), i.e. a structure made of a bool and the label, where the bool inidcates whether a non-existing label shall be ignored or not. We have the same split up when serializing exec commands, and we should do that here too... So, you want a 2nd property SELinuxcontextIgnore/AppArmorProfileIgnore that would be True when SELinuxContext/AppArmorProfile is prefixed by '-', or also when SELinux/AppArmor is disabled ? Mhh no, you want 1 single property, but with a struct rather than 1 string, forget about that, I misread. -- Michael Scherer ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH] Add AppArmor profile switching
On Fri, 14.02.14 14:05, Michael Scherer (m...@zarb.org) wrote:
SD_BUS_PROPERTY(SELinuxContext, s, NULL,
offsetof(ExecContext, selinux_context), SD_BUS_VTABLE_PROPERTY_CONST),
+SD_BUS_PROPERTY(AppArmorProfile, s, NULL,
offsetof(ExecContext, apparmor_profile),
SD_BUS_VTABLE_PROPERTY_CONST),
Hmm, so thinking about this, we should normalize both these options and
turn the s signature into (bs), i.e. a structure made of a bool and
the label, where the bool inidcates whether a non-existing label shall
be ignored or not. We have the same split up when serializing exec
commands, and we should do that here too...
So, you want a 2nd property SELinuxcontextIgnore/AppArmorProfileIgnore
that would be True when SELinuxContext/AppArmorProfile is prefixed by
'-', or also when SELinux/AppArmor is disabled ?
Nope. Just one property as struct.
Also, SELinuxContext would be the context without the leading '-',
correct ?
Correct. The - would basically just be a way to denote this in the
unit file, but never stored like that internally nor exported over the bus.
@@ -140,6 +140,8 @@ struct ExecContext {
char *selinux_context;
+char *apparmor_profile;
+
Similar as above, I'd like this to be stored normalized, i.e.:
bool selinux_context_ignore;
char *selinux_context;
bool apparmor_profile_ignore;
char *apparmor_profile;
Or similar...
So that would requires a custom change to load-fragment.c, so I guess
that's a separate task as we need to apply that to selinuxcontext.
Yupp, there would be two parse functions that can handle
this. (internally, they can probably just invoke a single function that
takes pointers to both the char* and the bool variable)
So I will provides the change for SELinuxContext, then once accepted,
send a v3 of the apparmor patch with the code following the style of
SELinuxContext, is this ok ?
Feel free to just send them in a series.
Lennart
--
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel
