... | ... | @@ -4,11 +4,33 @@ WARNING |
|
|
This documentation is a wip, and currently is just a dumping ground
|
|
|
to collect bits and pieces of info in one place.
|
|
|
|
|
|
Introduction
|
|
|
============
|
|
|
# Introduction
|
|
|
|
|
|
On systems where systemd is the init system it is responsible for loading apparmor policy, and can start services with a specified apparmor confinement.
|
|
|
|
|
|
|
|
|
# Loading apparmor policy
|
|
|
|
|
|
The loading of AppArmor policy is split into two phases.
|
|
|
- Early policy (systemd v246 and later)
|
|
|
- Late policy
|
|
|
|
|
|
Early policy loads are required to confine systemd, and other early services or services that can not depend on the apparmor unit. Late policy loads are more flexible and can be run in parallel with other systemd units on start up.
|
|
|
|
|
|
## Early policy loads
|
|
|
|
|
|
Requires
|
|
|
|
|
|
- all policy to be loaded to have precompiled cache that is available during early boot.
|
|
|
- cache must be in a location that is available eg. /etc/apparmor.d/cache or /lib/apparmor/cache. Cache in /var/cache/apparmor/ can NOT be used.
|
|
|
|
|
|
????
|
|
|
- Load is not parallel with other units
|
|
|
- large loads can slow down boot
|
|
|
|
|
|
Does not have to be all of policy
|
|
|
|
|
|
|
|
|
Loading apparmor policy
|
|
|
=======================
|
|
|
|
|
|
Systemd v246 added the ability to load apparmor policy cache during early boot.
|
|
|
Requirements
|
... | ... | |