[systemd-devel] restart vs. stop/start

Christian Boltz systemd-devel at cboltz.de
Mon May 23 20:52:26 UTC 2016 

Hello,

Am Montag, 23. Mai 2016, 11:43:13 CEST schrieb Lennart Poettering:
> On Sun, 22.05.16 16:18, Christian Boltz wrote:
> > I can add my usecase as another reason ;-)
> > 
> > I'm talking about AppArmor, where "stop" means unloading the
> > profiles
> > from the kernel. The result is that all AppArmor confinement is
> > removed from all running processes.
> 
> Hmm, your apparmor service, does it actually have any processes
> running during runtime? 

No, it's a oneshot service. Loading the profiles is done with the 
apparmor_parser binary, but once they are loaded, there's no running 
process left.

> Is there actually any need to run it at
> shutdown at all (i.e. why would you unload the apparmor policies when
> powering off?)?

Keeping them loaded indeed wouldn't hurt ;-)

There might be cases where an admin wants to unload the profiles with 
"stop", but I'd guess this is done rarely.

> It appears to me, that you are trying to map something onto the
> "service" concept, that probably shouldn't really be a service. As
> someone who really doesn't know aa I'd probably suggest to have some
> tool maybe called "aactl" that exposes the various verbs you want as a
> UI, for example "load", "unload", ... And then, add one service to

load and unload translate to start and stop, and that's was systemd 
offers by default. Another verb would be reload, which also exists in 
systemd.

The missing part is a way to control the "restart" behaviour.

Since I'm not the first one who asks for an ExecRestart - is it really 
that hard to implement an ExecRestart= ?


BTW: Implementing an "aactl" command wouldn't be hard in the technical 
sense, but will break existing scripts and user workflows who expect that 
AppArmor can be controlled with systemd.

And I'm sure people would ask me why I invent a new command instead of 
simply using systemd ;-)

> systemd that is of Type=oneshot and RemainAfterExit=yes, and runs
> "ExecStart=/usr/bin/aactl load". But do not misuse this as
> user-facing concept, do not make it do anything on stop or even
> restart, but only use it as a way of hooking aa into the early-boot
> process. Or in other words: make users use "aactl reload" or so, to
> reload their policies, and don't involve systemd in that, except for
> initial policy loading during early boot.

AppArmor profiles get loaded using initscripts since forever (at least 
since I know AppArmor) and now with an apparmor.service file.
Everything worked fine with the initscript, and it also works with 
systemd (with the exception we are discussing here).

I'd really like to keep the apparmor.service instead of inventing my own 
command.

> Oh, and btw, I offered this before: we currently load SELinux, IMA and
> SMACK policy when transitioning between the initrd and the host
> system right from PID 1, before invoking any services, so that the
> policy is applied to everything we start during normal operation. I'd
> be open to doing the same for the AA policy. In that case you
> wouldn't even need the hook service at all. None of the other MACs
> have that... Happy to take a patch for that.

Right, loading the profiles via systemd itsself is something we already 
discussed upstream. I'm quite sure someone already has that on the TODO 
list ;-)

> > "start" means loading the profiles and applying the confinement to
> > _newly started_ profiles.
> > 
> > This also means that _already running_ processes won't be
> > (re)confined [1], which translates a small typo done by the admin
> > ("systemctl restart apparmor" instead of "systemctl reload
> > apparmor") to leaving lots of processes unconfined and turns that
> > accidential use of "restart" into a security risk.
> 
> Quite frankly, "restart" is supposed to do the same for all system
> services, but you try to redefine it within the scope of your specific
> service, and I am pretty sure we shouldn't cover that in systemd, and
> I also think this isn't particularly friendly to users to have
> services that behave differently on "restart" than others.

I'd argue that nobody will complain if "systemctl restart apparmor" does 
something sane (reloading the profiles) instead of making the system 
insecure by removing the confinement from all running processes ;-)


Regards,

Christian Boltz
-- 
>> Ich an seiner Stelle hätte den Fotografen reallife geplonkt.
> Wie entsteht denn in "reallife" dein *PLONK*? Beim Einschlag der
> Faust auf dem Auge?
man "Ernst August"    [Torsten Wiens und Cornell Binder in datr-s]

More information about the systemd-devel mailing list