[systemd-devel] [PATCH] Add AppArmor profile switching

Michael Scherer misc at zarb.org
Fri Feb 21 00:39:12 PST 2014


Le vendredi 21 février 2014 à 03:48 +0100, Lennart Poettering a écrit :
> On Thu, 20.02.14 16:19, misc at zarb.org (misc at zarb.org) wrote:
> 
> > From: Michael Scherer <misc at zarb.org>
> > 
> > This permit to switch to a specific apparmor profile when starting a daemon. This
> > will result in a non operation if apparmor is disabled.
> > It also add a new build requirement on libapparmor for using this
> > feature.
> 
> Applied! I made some changes though, there were some missing
> bits to make sure the config hookup works correctly. I don't have any
> apparmor available though. Could you check if everything works
> correctly?

I will, I do have a opensuse VM for that, and I think intrigeri in CC,
likely does too.

> I figure the only missing bit to get apparmor up to the same level of
> support in systemd as SELinux, SMACK and IMA have would be policy
> uploading during early boot.

Yeah, but this requires call to a external binary, I was wondering is
using some unit wouldn't be enough. Upstart also do provides a way to
load a policy specificied in a job, which is maye something we could
support, like on demand module loading for selinux . 

What do people think about it ? 
( for on demand loading of profile/module )
-- 
Michael Scherer



More information about the systemd-devel mailing list