1
Author: Jamie Strandboge <jamie@canonical.com>
2
Description: Adjust apparmor(5) to describe policy load on Ubuntu
3
Bug-Ubuntu: https://launchpad.net/bugs/974089
4
Forward: no (Ubuntu specific)
6
Index: apparmor-ubuntu-trunk/parser/apparmor.pod
7
===================================================================
8
--- apparmor-ubuntu-trunk.orig/parser/apparmor.pod 2010-12-20 14:29:10.000000000 -0600
9
+++ apparmor-ubuntu-trunk/parser/apparmor.pod 2012-04-05 10:19:29.000000000 -0500
12
# NOVELL (All rights reserved)
15
+# Copyright (c) 2010, 2011, 2012
16
# Canonical Ltd. (All rights reserved)
18
# This program is free software; you can redistribute it and/or
20
# GNU General Public License for more details.
22
# You should have received a copy of the GNU General Public License
23
-# along with this program; if not, contact Novell, Inc.
24
+# along with this program; if not, contact Canonical Ltd.
25
# ----------------------------------------------------------------------
30
AppArmor confinement is provided via I<profiles> loaded into the kernel
31
via apparmor_parser(8), typically through the F</etc/init.d/apparmor>
32
-SysV initscript, which is used like this:
33
+SysV initscript (on Ubuntu, also see UBUNTU POLICY LOAD, below), which is used
36
# /etc/init.d/apparmor start
37
# /etc/init.d/apparmor stop
40
A confined process can not call mknod(2) to create character or block devices.
42
+=head1 UBUNTU POLICY LOAD
44
+Ubuntu systems use Upstart instead of a traditional SysV init system. Because
45
+Upstart is an event-driven init system and understanding that policy must be
46
+loaded before execution, Ubuntu loads policy in two stages: first via upstart
47
+jobs for binaries that are started in early boot, and then via a SysV
48
+initscript that starts in S37 for all remaining policy. When developing
49
+policy it is important to know how your application is started and if policy
50
+load should be handled specially.
52
+In general, nothing extra has to be done for applications without an initscript
53
+or with an initscript that starts after AppArmor's second stage initscript.
55
+If the confined application has an Upstart job, adjust the job to call
56
+F</lib/init/apparmor-profile-load> with the filename of the policy file
57
+(relative to F</etc/apparmor.d/>). For example:
60
+ /lib/init/apparmor-profile-load usr.bin.foo
63
+If the confined application does not have an Upstart job but it starts before
64
+AppArmor's second stage initscript, then add a symlink from the policy file in
65
+F</etc/apparmor.d> to F</etc/apparmor/init/network-interface-security/>. For
68
+ # cd /etc/apparmor/init/network-interface-security/
69
+ # ln -s /etc/apparmor.d/usr.bin.foo .
71
+The network-interface-security Upstart job will load all the symlinked policy
72
+files in F</etc/apparmor/init/network-interface-security/> before any network
73
+interfaces come up. Because network interfaces come up very early in the boot
74
+process, this will help ensure that AppArmor policy is loaded before the
75
+confined application starts.
79
When a confined process tries to access a file it does not have permission
82
=item F</etc/init.d/apparmor>
84
+=item F</etc/apparmor/init/network-interface-security/>
86
=item F</etc/apparmor.d/>
88
=item F</var/lib/apparmor/>