[systemd-devel] [PATCH] Add AppArmor profile switching

Lennart Poettering lennart at poettering.net
Fri Feb 21 05:05:15 PST 2014

On Fri, 21.02.14 09:39, Michael Scherer (misc at zarb.org) wrote:

> > Applied! I made some changes though, there were some missing
> > bits to make sure the config hookup works correctly. I don't have any
> > apparmor available though. Could you check if everything works
> > correctly?
> I will, I do have a opensuse VM for that, and I think intrigeri in CC,
> likely does too.
> > I figure the only missing bit to get apparmor up to the same level of
> > support in systemd as SELinux, SMACK and IMA have would be policy
> > uploading during early boot.
> Yeah, but this requires call to a external binary, I was wondering is
> using some unit wouldn't be enough. Upstart also do provides a way to

Well, MAC policies sound like something one really should upload at a
time where no process but PID 1 is around, so that it is guaranteed to
apply to every process on the system. Uploading it in a normal unit
loads it releatively late and in parallel to other servics.

I am happy to add code that uploads the AppArmor policy the same way we
upload SELinux, IMA, SMACK, but either this uploading must be so simple
that we can easily implement this in our own code (which is the way we
went for IMA or SMACK), or they must provide us with some library, but
doing this via invoking a binary is something that I don't want to see
in systemd upstream.

> load a policy specificied in a job, which is maye something we could

What is different from what we have now with AppArmorProfile=?

> support, like on demand module loading for selinux . 

Hmm, "on-demand module loading for selinux"? What do you mean by that?


Lennart Poettering, Red Hat

More information about the systemd-devel mailing list