Package: apparmor
Version: 2.7.0-1
Severity: normal
Tags: patch
Hi Kees, hi list,
intrigeri wrote (24 Feb 2012 19:08:05 GMT) :
> Kees Cook wrote (17 Feb 2012 00:10:38 GMT) :
>>> >>   * isc-dhcp 4.1.1-P1-17ubuntu12 (client only)
>>> 
>>> > The profile must load before any network interface. In Ubuntu,
>>> > this is being done via upstart jobs -- I haven't tested it
>>> > with sysvinit.
>>> 
[...]
>> It probably means that apparmor will either need to have 2 init
>> files (early and late), or have its init modified not to require
>> /usr. Both we done at various times before in Ubuntu, so it
>> shouldn't be much work to make it happen.
(For the record, this bug report follows up on a discussion that
started over email a while ago:
https://mailman.boum.org/pipermail/tails-dev/2012-February/000904.html)
I eventually manage to tackle this problem.
Here is my initial attempt at a fix,
see attached bzr bundle (untested yet due to #669537 FTBFS).
Comments are welcome.
As a bzr newbie, I'm unsure the bundles actually contains my commit
messages, so let me paste them bellow (which makes it easier to
discuss my reasons and choices on the bug report, by the way).
------------------------------------------------------------
revno: 1464
committer: intrigeri <intrigeri@???>
branch nick: load-profiles-before-networking
timestamp: Mon 2012-04-23 17:53:34 +0200
message:
  Start apparmor initscript before networking and networkmanager.
  
  * Drop $remote_fs from initscript's Required-Start, which is made
    possible by the previous changes that make the initscript start action
    independent from /usr.
  * Explicitly ask insserv et al. to start apparmor before the
    networking and networkmanager services.
------------------------------------------------------------
revno: 1463
committer: intrigeri <intrigeri@???>
branch nick: load-profiles-before-networking
timestamp: Mon 2012-04-23 17:52:49 +0200
message:
  Make the initscript start action independent from /usr.
  
  Rationale: we want to remove "Required-Start: $remote_fs" from the
  apparmor initscript, so that it runs before the networking one,
  in order to allow e.g. the sbin.dhclient profile to load before
  network interfaces are setup.
  
  Therefore, we need to make the initscript independent of /usr.
  GNU xargs is in /usr/bin, and the initscript calls functions that rely
  on options that are not supported by busybox xargs, so we can't just
  use busybox xargs instead of GNU xargs.
  
  So, to start with, let's not use -P, at the cost of some startup
  performance on SMP. But once we have removed -P, we have no good
  remaining reason to use xargs at all to process the list of profile
  filenames; so we stop using xargs in the foreach_configured_profile
  function, whose /usr-dependency goes away. (By the way, not using
  busybox xargs allows us to go on supporting profile filenames that
  contain whitespace, which we could not do easily with busybox xargs,
  given it does not support -d"\n" -- see LP #655523 for the history of
  this piece of code.)
  
  Other /usr-dependent parts of the initscript / shell function library
  are not called on Debian systems at start time:
  clear_cache_if_outdated runs clear_cache, that runs find and xargs
  (that are in /usr) with options that are not supported by busybox
  xargs. But on Debian, cache read/write is disabled due to missing
  kernel interface file => this code branch is never visited on Debian
  => ignore this for now.
Cheers,
-- 
  intrigeri
  | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
  | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc