Christian Boltz [2016-05-22 16:18 +0200]:
> "start" means loading the profiles and applying the confinement to _newly
> started_ profiles.
>
> This also means that _already running_ processes won't be (re)confined [1],
> which translates a small typo done by the admin ("systemctl restart
> apparmor" instead of "systemctl reload apparmor") to leaving lots of
> processes unconfined and turns that accidential use of "restart" into a
> security risk.
>
> This is why I need to override the "restart" behaviour so that it
> reloads the profiles while keeping running processes confined.
>
> The easiest solution would be an ExecRestart= directive in the service
> file, but unfortunately this isn't available.
But ExecReload= is available, isn't that enough?
Martin
--
Martin Pitt | http://www.piware.de
Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)
_______________________________________________
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
