touch-packages team mailing list archive

Thread
Date

[Bug 1438249] Re: /sbin/dhclient is unconfined after switch to systemd (aka, equivalent of upstart's network-interface-security.conf not implemented)

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: John Johansen <john.johansen@xxxxxxxxxxxxx>
Date: Tue, 31 Mar 2015 08:04:47 -0000
Reply-to: Bug 1438249 <1438249@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

So just a little more context around this whole split in policy loading.
AppArmor does a check that the cached policy is current and matches to
the kernel before loading and then if not falls back to recompiling
policy. The policy load was split into an early stage
(/etc/apparmor/init) and full policy (/etc/apparmor.d/), so that early
boot would only load the minimum amount of policy needed during early
boot to minimize potential delays (specifically fallback to compile)
during early boot. The recompile is not such an issue in later boot as
it can be run in parallel with more services.

TLDR: The split is all about boot speed. It would be easier and safer if
all policy was loaded as early as possible.

More context:
* apparmor init scripts all sys V and not upstart based (for various reasons)
* apparmor_parser at the time would only process one file and had to be called multiple times (which slowed down loading) - (FIXED)
* apparmor_parser is single threaded, so shell scripts were used to get parallel loading/compiles - (NOT fixed)
* apparmor_parser was a LOT (at least a couple orders of magnitude) slower at compiles when this was done
* apparmor_parser couldn't properly build policy for anything but the current kernel, so policy compile was always left to first boot of a given kernel
- specifying the feature set was broken (FIXED)
- the abi matching had issues (FIXED)
- new kernels didn't ship the needed feature information to compile policy for the kernel during kernel installed so policy compiles needed to wait until booting into the new kernel (NOT fixed)
* apparmor only supported a single cache ( NOT fixed - soon)
- needed to support policy for multiple kernels, having policy compiled before boot.

--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1438249

Title:
/sbin/dhclient is unconfined after switch to systemd (aka, equivalent
of upstart's network-interface-security.conf not implemented)

Status in systemd package in Ubuntu:
Fix Committed

Bug description:
dhclient is starting before the apparmor profile for it is loaded
which results in the following output from aa-status:

$ sudo aa-status
...
4 profiles are in enforce mode.
/sbin/dhclient
...
1 processes are unconfined but have a profile defined.
/sbin/dhclient (634)

Upstart had the network-interface-security.conf job to make sure this
didn't happen. We wanted the cache loading library to be implemented
in time (bug #1385414), but it still hasn't landed. Having the cache
loading library in place would mean that this bug would also be fixed,
but now we need to fix this bug differently for 15.04 and it must be
fixed by release.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1438249/+subscriptions

References

[Bug 1438249] [NEW] /sbin/dhclient is unconfined after switch to systemd (aka, equivalent of upstart's network-interface-security.conf not implemented)
From: Jamie Strandboge, 2015-03-30