[systemd-devel] [PATCH] Move apparmor code before the namespace setup
Lennart Poettering
lennart at poettering.net
Mon Oct 27 07:38:37 PDT 2014
On Sat, 11.10.14 21:57, misc at zarb.org (misc at zarb.org) wrote:
> From: Michael Scherer <misc at zarb.org>
>
> Since apparmor need to access /proc to communicate with the kernel,
> any unit setting / as readonly will be unable to also use the
> AppArmorProfile setting, as found on debian bug 760526.
A unit that sets /proc to read-only is broken anyway, I don't think we
should work around that. or am I missing something here?
If you apply the apparmor profile before setting up the namespace
stuff you need to whitelist all the namespace operations in the
apparmor profile. That might be quite a lot, hence: is this really
desirable?
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list