Package: apparmor Version: 2.7.0-1 Severity: normal Tags: patch Hi Kees, hi list,
intrigeri wrote (24 Feb 2012 19:08:05 GMT) : > Kees Cook wrote (17 Feb 2012 00:10:38 GMT) : >>> >> * isc-dhcp 4.1.1-P1-17ubuntu12 (client only) >>> >>> > The profile must load before any network interface. In Ubuntu, >>> > this is being done via upstart jobs -- I haven't tested it >>> > with sysvinit. >>> [...] >> It probably means that apparmor will either need to have 2 init >> files (early and late), or have its init modified not to require >> /usr. Both we done at various times before in Ubuntu, so it >> shouldn't be much work to make it happen. (For the record, this bug report follows up on a discussion that started over email a while ago: https://mailman.boum.org/pipermail/tails-dev/2012-February/000904.html) I eventually manage to tackle this problem. Here is my initial attempt at a fix, see attached bzr bundle (untested yet due to #669537 FTBFS). Comments are welcome. As a bzr newbie, I'm unsure the bundles actually contains my commit messages, so let me paste them bellow (which makes it easier to discuss my reasons and choices on the bug report, by the way). ------------------------------------------------------------ revno: 1464 committer: intrigeri <intrig...@boum.org> branch nick: load-profiles-before-networking timestamp: Mon 2012-04-23 17:53:34 +0200 message: Start apparmor initscript before networking and networkmanager. * Drop $remote_fs from initscript's Required-Start, which is made possible by the previous changes that make the initscript start action independent from /usr. * Explicitly ask insserv et al. to start apparmor before the networking and networkmanager services. ------------------------------------------------------------ revno: 1463 committer: intrigeri <intrig...@boum.org> branch nick: load-profiles-before-networking timestamp: Mon 2012-04-23 17:52:49 +0200 message: Make the initscript start action independent from /usr. Rationale: we want to remove "Required-Start: $remote_fs" from the apparmor initscript, so that it runs before the networking one, in order to allow e.g. the sbin.dhclient profile to load before network interfaces are setup. Therefore, we need to make the initscript independent of /usr. GNU xargs is in /usr/bin, and the initscript calls functions that rely on options that are not supported by busybox xargs, so we can't just use busybox xargs instead of GNU xargs. So, to start with, let's not use -P, at the cost of some startup performance on SMP. But once we have removed -P, we have no good remaining reason to use xargs at all to process the list of profile filenames; so we stop using xargs in the foreach_configured_profile function, whose /usr-dependency goes away. (By the way, not using busybox xargs allows us to go on supporting profile filenames that contain whitespace, which we could not do easily with busybox xargs, given it does not support -d"\n" -- see LP #655523 for the history of this piece of code.) Other /usr-dependent parts of the initscript / shell function library are not called on Debian systems at start time: clear_cache_if_outdated runs clear_cache, that runs find and xargs (that are in /usr) with options that are not supported by busybox xargs. But on Debian, cache read/write is disabled due to missing kernel interface file => this code branch is never visited on Debian => ignore this for now. Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
load_profiles_before_networking.bundle
Description: Binary data
