On Tue, Jun 17, 2014 at 06:42:44PM -0000, Marc Deslauriers wrote:
> Here is a new version of the upstart job that contains "start on
> starting rc-sysinit". In theory, this should get run before lightdm, and
> before the legacy init scripts.
lightdm is:
start on ((filesystem
and runlevel [!06]
and started dbus
and plymouth-ready)
or runlevel PREVLEVEL=S)
(which is actually redundant, 'filesystem' is a precondition of
'runlevel')
And 'runlevel' is not emitted until the rc-sysinit job runs.
So yes, blocking rc-sysinit with apparmor sounds to me like the right
approach. This will be strictly ordered before anything that starts in
runlevel 2, which is *almost* everything. Looking at my desktop system, the
exceptions I see here, not counting filesystem daemons (NFS) are:
$ grep -rl 'start on.*filesystem\b' /etc/init | grep -vE 'rc-sysinit|failsafe'
/etc/init/screen-cleanup.conf
/etc/init/binfmt-support.conf
/etc/init/click-system-hooks.conf
/etc/init/cups-browsed.conf
/etc/init/avahi-daemon.conf
/etc/init/passwd.conf
/etc/init/lightdm.conf
/etc/init/rsyslog.conf
/etc/init/cups.conf
/etc/init/flush-early-job-log.conf
/etc/init/upstart-file-bridge.conf
/etc/init/plymouth-log.conf
/etc/init/click-apparmor.conf
$
screen-cleanup, binfmt-support, passwd, flush-early-job-log, plymouth-log
are startup tasks that don't ever need to run confined. I assume this is
also true for click-system-hooks. cups-browsed, avahi-daemon, rsyslog, and
cups include their own direct apparmor handling in the job - maybe that
should be refactored, but it's fine for now. upstart-file-bridge needs to
start as early as possible, and as a component of upstart probably needs to
run unconfined anyway.
click-apparmor may interact with the new apparmor job in some way, I'm not
sure; it's probably worth someone taking a close look.
I haven't run this same check on a phone yet to see what might be different
there.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1305108
Title:
please provide upstart job for apparmor
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1305108/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
