Hello intrigeri, this one is a bit involved. As it is systemd's support for AppArmor is to issue a change_profile call before executing a unit's executable. This requires the profile to already be loaded, which currently means a pre-task that calls apparmor_parser on the profile or waiting to run until after an apparmor unit file completes loading all profiles.
The parser currently knows how to drive the cache, invalidate it if any of the files involved in defining the profile are modified, etc. But it'd be nice if this functionality were exposed via a library that systemd could use so that it could compile (and cache) the policy if needed, it could load a cached policy if one exists and isn't stale. Since different tools own different AppArmor policies (init scripts own /etc/apparmor.d/, snapd owns snapd policy, libvirt owns libvirt policy, docker owns docker policy, etc) this may need some effort to determine what we really want it to do. I hope this helps. Thanks. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1385414 Title: provide systemd compatible cache loading library Status in AppArmor: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Triaged Bug description: This tracks the work related to moving AppArmor to systemd in support of bug 1379542. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1385414/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp