touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #37487
[Bug 1396270] Re: specifying AppArmorProfile doesn't result in processes launched under the named profile
This bug was fixed in the package systemd - 215-6ubuntu2
---------------
systemd (215-6ubuntu2) vivid; urgency=medium
[ Martin Pitt ]
* Merge fixes from Debian master.
* Put user slices into all cgroup controllers. This makes unprivileged user
LXC containers work under systemd. (LP: #1396270)
* boot-and-services autopkgtest: Test AppArmor confined units (LP #1396270)
[ Marc Deslauriers ]
* Build-depend on libapparmor-dev to enable AppArmor support. (LP: #1396270)
systemd (215-7) UNRELEASED; urgency=medium
[ Martin Pitt ]
* Add myself to Uploaders.
* Add boot-and-services autopkgtest: Check booting with systemd-sysv and
that the most crucial services behave as expected.
* logind autopkgtest: Fix stderr output in waiting loop for scsi_debug.
* Add nspawn test to boot-and-services autopkgtest.
* Make systemd-nspawn@.service work out of the box: (Closes: #770275)
- Pre-create /var/lib/container with a secure mode (0700) via tmpfiles.d.
- Add new try-{guest,host} modes for --link-journal to silently skip
setting up the guest journal if the host has no persistant journal.
- Extend boot-and-services autopkgtest to cover systemd-nspawn@.service.
* Cherry-pick upstream patch to fix SELinux unit access check (regression
in 215).
[ Jon Severinsson]
* Add /run/shm -> /dev/shm symlink in debian/tmpfiles.d/debian.conf. This
avoids breakage in Jessie for packages which still refer to /run/shm, and
while https://wiki.debian.org/ReleaseGoals/RunDirectory is still official.
(LP: #1320534, Closes: #674755).
-- Martin Pitt <martin.pitt@xxxxxxxxxx> Thu, 27 Nov 2014 16:38:55 +0100
** Changed in: systemd (Ubuntu)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1396270
Title:
specifying AppArmorProfile doesn't result in processes launched under
the named profile
Status in “systemd” package in Ubuntu:
Fix Released
Bug description:
Steps to reproduce
1. grab attached tarball and unpack in /tmp:
tar -zxvf /tmp/test.tar.gz
2. cd /tmp/test
3. Load the apparmor profile:
sudo apparmor_parser -r ./apparmor.profile
4. verify you see 'test-service' profile is loaded via 'sudo aa-status'. Eg:
$ sudo aa-status
apparmor module is loaded.
6 profiles are loaded.
6 profiles are in enforce mode.
...
test-service
...
5. enable the systemd service file:
$ cat ./test.service
[Unit]
Description=test webserver
[Service]
Environment=PYTHONDONTWRITEBYTECODE=1
ExecStart=/tmp/test/bin/webserver
Restart=on-failure
WorkingDirectory=/tmp/test/www
AppArmorProfile=test-service
[Install]
WantedBy=multi-user.target
$ sudo cp ./test.service /etc/systemd/system/
$ sudo systemctl enable test.service
6. start the service
$ sudo systemctl start test.service
$ sudo systemctl --no-pager status test.service
● test.service - test webserver
Loaded: loaded (/etc/systemd/system/test.service; enabled)
Active: active (running) since Tue 2014-11-25 17:33:51 UTC; 4min 8s ago
Main PID: 1246 (webserver)
CGroup: /system.slice/test.service
└─1246 /usr/bin/python3 /tmp/test/bin/webserver
Nov 25 17:33:51 localhost.localdomain systemd[1]: Started test
webserver.
7. verify that the service is confined (use Main PID from the last step. You can also use aa-status):
$ ps -Z 1246
LABEL PID TTY STAT TIME COMMAND
unconfined 1246 ? Ss 0:00 /usr/bin/python3 /tmp/test/bin/webserver
Because the service file uses 'AppArmorProfile=test-service' and the
'test-service' profile is already loaded into the kernel, I would
expect /tmp/test/bin/webserver to be running under the 'test-service'
label, not 'unconfined'.
Note: you can manually start the webserver under apparmor using aa-exec. Eg:
$ sudo aa-exec -p test-service /tmp/test/bin/webserver
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1396270/+subscriptions
References