Bug #10857: Check if it's OK to start AppArmor before live-config

Bug #10857

Check if it's OK to start AppArmor before live-config

Added by intrigeri 2016-01-05 12:55:33 . Updated 2016-01-09 18:20:31 .

Status:

Resolved

Priority:

Normal

Assignee:

Category:

Target version:

Tails_2.0

Start date:

2016-01-05

Due date:

% Done:

100%

Feature Branch:

Type of work:

Research

Blueprint:

Starter:

Affected tool:

Deliverable for:

Description

On a build from devel (Jessie) I see AppArmor profiles loading starting super early (as intended), but so early that live-config hasn’t done its job yet. Do we assume in any way that live-config has finished its job, before we start loading AppArmor profiles?

Subtasks

History

#1 Updated by intrigeri 2016-01-09 18:20:31

Status changed from Confirmed to Resolved
Assignee deleted (~~intrigeri~~)
% Done changed from 0 to 100

On a current build from devel, I had a quick look at what’s in /lib/live/config. There’s nothing in there that we confine with AppArmor, and I doubt we ever add any such thing as a live-config hook, so we should be fine: if we want to add non-trivial stuff to run on startup, adding a systemd unit will likely be preferred to a live-config hook, e.g. because it allows for parallel startup while live-config hooks are run sequentially… which would be a case for migrating some of our current live-config hooks to system services, by the way.