Comment 27 for bug 1305108

On Tue, Jun 17, 2014 at 06:42:44PM -0000, Marc Deslauriers wrote:
> Here is a new version of the upstart job that contains "start on
> starting rc-sysinit". In theory, this should get run before lightdm, and
> before the legacy init scripts.

lightdm is:

start on ((filesystem
           and runlevel [!06]
           and started dbus
           and plymouth-ready)
          or runlevel PREVLEVEL=S)

(which is actually redundant, 'filesystem' is a precondition of 'runlevel')

And 'runlevel' is not emitted until the rc-sysinit job runs.

So yes, blocking rc-sysinit with apparmor sounds to me like the right
approach. This will be strictly ordered before anything that starts in
runlevel 2, which is *almost* everything. Looking at my desktop system, the
exceptions I see here, not counting filesystem daemons (NFS) are:

$ grep -rl 'start on.*filesystem\b' /etc/init | grep -vE 'rc-sysinit|failsafe'
/etc/init/screen-cleanup.conf
/etc/init/binfmt-support.conf
/etc/init/click-system-hooks.conf
/etc/init/cups-browsed.conf
/etc/init/avahi-daemon.conf
/etc/init/passwd.conf
/etc/init/lightdm.conf
/etc/init/rsyslog.conf
/etc/init/cups.conf
/etc/init/flush-early-job-log.conf
/etc/init/upstart-file-bridge.conf
/etc/init/plymouth-log.conf
/etc/init/click-apparmor.conf
$

screen-cleanup, binfmt-support, passwd, flush-early-job-log, plymouth-log
are startup tasks that don't ever need to run confined. I assume this is
also true for click-system-hooks. cups-browsed, avahi-daemon, rsyslog, and
cups include their own direct apparmor handling in the job - maybe that
should be refactored, but it's fine for now. upstart-file-bridge needs to
start as early as possible, and as a component of upstart probably needs to
run unconfined anyway.

click-apparmor may interact with the new apparmor job in some way, I'm not
sure; it's probably worth someone taking a close look.

I haven't run this same check on a phone yet to see what might be different
there.