On Tue, Jun 17, 2014 at 06:42:44PM -0000, Marc Deslauriers wrote:
> Here is a new version of the upstart job that contains "start on
> starting rc-sysinit". In theory, this should get run before lightdm, and
> before the legacy init scripts.
lightdm is:
start on ((filesystem
and runlevel [!06]
and started dbus
and plymouth-ready)
or runlevel PREVLEVEL=S)
(which is actually redundant, 'filesystem' is a precondition of 'runlevel')
And 'runlevel' is not emitted until the rc-sysinit job runs.
So yes, blocking rc-sysinit with apparmor sounds to me like the right
approach. This will be strictly ordered before anything that starts in
runlevel 2, which is *almost* everything. Looking at my desktop system, the
exceptions I see here, not counting filesystem daemons (NFS) are:
screen-cleanup, binfmt-support, passwd, flush-early-job-log, plymouth-log
are startup tasks that don't ever need to run confined. I assume this is
also true for click-system-hooks. cups-browsed, avahi-daemon, rsyslog, and
cups include their own direct apparmor handling in the job - maybe that
should be refactored, but it's fine for now. upstart-file-bridge needs to
start as early as possible, and as a component of upstart probably needs to
run unconfined anyway.
click-apparmor may interact with the new apparmor job in some way, I'm not
sure; it's probably worth someone taking a close look.
I haven't run this same check on a phone yet to see what might be different
there.
On Tue, Jun 17, 2014 at 06:42:44PM -0000, Marc Deslauriers wrote:
> Here is a new version of the upstart job that contains "start on
> starting rc-sysinit". In theory, this should get run before lightdm, and
> before the legacy init scripts.
lightdm is:
start on ((filesystem
and runlevel [!06]
and started dbus
and plymouth-ready)
or runlevel PREVLEVEL=S)
(which is actually redundant, 'filesystem' is a precondition of 'runlevel')
And 'runlevel' is not emitted until the rc-sysinit job runs.
So yes, blocking rc-sysinit with apparmor sounds to me like the right
approach. This will be strictly ordered before anything that starts in
runlevel 2, which is *almost* everything. Looking at my desktop system, the
exceptions I see here, not counting filesystem daemons (NFS) are:
$ grep -rl 'start on.*filesystem\b' /etc/init | grep -vE 'rc-sysinit| failsafe' screen- cleanup. conf binfmt- support. conf click-system- hooks.conf cups-browsed. conf avahi-daemon. conf passwd. conf lightdm. conf rsyslog. conf flush-early- job-log. conf upstart- file-bridge. conf plymouth- log.conf click-apparmor. conf
/etc/init/
/etc/init/
/etc/init/
/etc/init/
/etc/init/
/etc/init/
/etc/init/
/etc/init/
/etc/init/cups.conf
/etc/init/
/etc/init/
/etc/init/
/etc/init/
$
screen-cleanup, binfmt-support, passwd, flush-early- job-log, plymouth-log
are startup tasks that don't ever need to run confined. I assume this is
also true for click-system-hooks. cups-browsed, avahi-daemon, rsyslog, and
cups include their own direct apparmor handling in the job - maybe that
should be refactored, but it's fine for now. upstart-file-bridge needs to
start as early as possible, and as a component of upstart probably needs to
run unconfined anyway.
click-apparmor may interact with the new apparmor job in some way, I'm not
sure; it's probably worth someone taking a close look.
I haven't run this same check on a phone yet to see what might be different
there.