Bug 63312

Summary: Apparmor support in ConditionSecurity
Product: systemd Reporter: Nirbheek Chauhan <nirbheek.chauhan>
Component: generalAssignee: systemd-bugs
Status: RESOLVED FIXED QA Contact: systemd-bugs
Severity: enhancement    
Priority: medium    
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments: Add support for ConditionSecurity=apparmor, update man page
Add support for ConditionSecurity=apparmor, update man page
Add support for ConditionSecurity=apparmor, update man page
Use the same test as upstart for apparmor

Description Nirbheek Chauhan 2013-04-09 13:18:54 UTC
Created attachment 77666 [details] [review]
Add support for ConditionSecurity=apparmor, update man page

The attached patch adds support for ConditionSecurity=apparmor and updates the man page. This allows init scripts in Ubuntu that check whether apparmor is the current LSM to be converted to systemd service files.
Comment 1 Nirbheek Chauhan 2013-04-09 13:25:57 UTC
Created attachment 77667 [details] [review]
Add support for ConditionSecurity=apparmor, update man page

Whitespace wasn't expanded-tabs in the previous patch. Fixed now.
Comment 2 Lennart Poettering 2013-04-09 15:09:50 UTC
any particular reason for glob_exists()? The passed path is not a glob, so access(F_OK) sounds sufficient?
Comment 3 Nirbheek Chauhan 2013-04-09 17:55:02 UTC
(In reply to comment #2)
> any particular reason for glob_exists()? The passed path is not a glob, so
> access(F_OK) sounds sufficient?

I tried to use systemd util functions, but access(path, F_OK) works the same.
Comment 4 Lennart Poettering 2013-04-09 19:26:57 UTC
Hmm, so, the current implementation of the SELinux check not only checks whether SELinux is compiled into the kernel, but also if it is turned on during runtime. I wonder if we should have the same for AppArmor? Is there a nice way to check whether AppArmor is actually turned on?

(Also, as a side note, we currently load SELinux, IMA and SMACK policies from early PID 1, so that they are applied before the first process is started. Do we want the same for AppArmor?)
Comment 5 Nirbheek Chauhan 2013-04-10 07:57:41 UTC
(In reply to comment #4)
> Hmm, so, the current implementation of the SELinux check not only checks
> whether SELinux is compiled into the kernel, but also if it is turned on
> during runtime. 

That directory only exists if AppArmor is loaded *and* turned on, so the check is sufficient. This can be verified by booting with security=none and running `aa-status`. The module is loaded, but the apparmor tree inside securityfs isn't.

> (Also, as a side note, we currently load SELinux, IMA and SMACK policies
> from early PID 1, so that they are applied before the first process is
> started. Do we want the same for AppArmor?)

Right now we're using a .service file with DefaultDependenices=no, Before=basic.target, WantedBy=sysinit.target which works fine for us because everything that we confine is running in basic.target.

However, eventually it would indeed be nice to have systemd load AA profiles with PID 1.
Comment 6 Nirbheek Chauhan 2013-04-10 08:00:54 UTC
(In reply to comment #5)
> However, eventually it would indeed be nice to have systemd load AA profiles
> with PID 1.

I should note here that I speak as a distributor/user of AppArmor, and not a developer, so there might be details that I am missing which would make this undesirable.
Comment 7 Nirbheek Chauhan 2013-04-30 06:24:24 UTC
Created attachment 78627 [details] [review]
Add support for ConditionSecurity=apparmor, update man page

The attached patch implements access(F_OK), and has an updated commit message.

I think early loading of profiles is a separate issue? Is there anything else that needs to be done here?
Comment 8 Lennart Poettering 2013-05-06 19:17:58 UTC
Thanks! Applied!
Comment 9 Lennart Poettering 2013-05-16 19:12:43 UTC
Hmm, I just noticed this patch:

https://code.launchpad.net/~mdeslaur/upstart/apparmor-support/+merge/164169

It contains a different check for AppArmor. Basically something like this:

/sys/module/apparmor/parameters/enabled == 'Y'

I'd prefer if we could change our code to do the same, given that the Ubuntu guys are guys are upstream for apparmor.

Any chance you could rework the condition check? Most likely you can just use:

static bool apparmor_enabled(void) {
        _cleanup_free_ char *p = NULL;

        r = read_one_line_file("/sys/module/apparmor/parameters/enabled", &p);
        if (r < 0)
                return false;

        return parse_boolean(p) > 0;
}

But I can't test this, so I am kinda counting on you to check if this works and provide a patch?
Comment 10 Nirbheek Chauhan 2013-05-16 19:16:46 UTC
I'll test this and get back to you ASAP.
Comment 11 Nirbheek Chauhan 2013-05-20 10:08:09 UTC
Created attachment 79566 [details] [review]
Use the same test as upstart for apparmor

The attached patch works for me.
Comment 12 Zbigniew Jedrzejewski-Szmek 2013-05-30 04:48:31 UTC
Applied in http://cgit.freedesktop.org/systemd/systemd/commit/?id=cb0edd735c40f.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.