apparmor/apparmor.service

[Unit]
Description=Load AppArmor profiles
DefaultDependencies=no
Before=sysinit.target
After=systemd-journald-audit.socket
After=var.mount var-lib.mount
ConditionSecurity=apparmor

[Service]
Type=oneshot
ExecStart=/lib/apparmor/apparmor.systemd reload
ExecReload=/lib/apparmor/apparmor.systemd reload

# systemd maps 'restart' to 'stop; start' which means removing AppArmor confinement
# from running processes (and not being able to re-apply it later).
# Upstream systemd developers refused to implement an option that allows overriding
# this behaviour, therefore we have to make ExecStop a no-op to error out on the
# safe side.
#
# If you really want to unload all AppArmor profiles, run   aa-teardown
ExecStop=/bin/true
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target
Accepting request 293870 from home:elvigia:branches:security:apparmor - Add a native systemd unit which at the moment only wraps/masks the early boot script. OBS-URL: https://build.opensuse.org/request/show/293870 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=127 2015-04-12 23:08:34 +02:00			`[Unit]`
			`Description=Load AppArmor profiles`
			`DefaultDependencies=no`
			`Before=sysinit.target`
			`After=systemd-journald-audit.socket`
Accepting request 482764 from home:cboltz - add upstream-changes-r-3629..3648.diff: - preserve unknown profiles when reloading apparmor.service (CVE-2017-6507, lp#1668892, boo#1029696) - add aa-remove-unknown utility to unload unknown profiles (lp#1668892) - update nvidia abstraction for newer nvidia drivers - don't enforce ordering of dbus rule attributes in utils (lp#1628286) - add --parser, --base and --Include option to aa-easyprof to allow non-standard paths (useful for tests) (lp#1521031) - move initialization code in apparmor.aa to init_aa(). This allows to run all utils tests even if /etc/apparmor.d/ or /sbin/apparmor_parser don't exist. - several improvements in the utils tests - drop upstreamed python3-drop-re-locale.patch - no longer delete/skip some of the utils tests (to allow this, add parser-tests-dbus-duplicated-conditionals.diff) - add var.mount dependeny to apparmor.service (boo#1016259#c34) OBS-URL: https://build.opensuse.org/request/show/482764 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=174 2017-03-26 20:43:45 +02:00			`After=var.mount var-lib.mount`
Accepting request 293870 from home:elvigia:branches:security:apparmor - Add a native systemd unit which at the moment only wraps/masks the early boot script. OBS-URL: https://build.opensuse.org/request/show/293870 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=127 2015-04-12 23:08:34 +02:00			`ConditionSecurity=apparmor`

			`[Service]`
			`Type=oneshot`
Accepting request 560016 from home:cboltz - update to AppArmor 2.12 - add support for 'owner' rules in aa-logprof and aa-genprof - add support for includes with absolute path in aa-logprof etc. (lp#1733700) - update aa-decode to also decode PROCTITLE (lp#1736841) - several profile and abstraction updates, including boo#1069470 - see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.12 for the detailed upstream changelog - drop upstreamed patches: - read_inactive_profile-exactly-once.patch - utils-fix-sorted-save_profiles-regression.diff - lessopen profile: change all 'rix' rules to 'mrix' - update to AppArmor 2.11.95 aka 2.12 beta1 - add JSON interface to aa-logprof and aa-genprof (used by YaST) - drop old YaST interface code - update audio, base and nameservice abstractions - allow @{pid} to match 7-digit pids - see http://wiki.apparmor.net/index.php/ReleaseNotes_2_11_95 for the detailed upstream changelog - drop upstreamed patches - apparmor-yast-cleanup.patch - apparmor-json-support.patch - nameservice-libtirpc.diff - drop obsolete perl modules (YaST no longer needs them) - drop patches that were only needed by the obsolete perl modules: - apparmor-utils-string-split - apparmor-abstractions-no-multiline.diff - drop profiles-sockets-temporary-fix.patch - obsoleted by a fix in apparmor_parser - refresh utils-fix-sorted-save_profiles-regression.diff OBS-URL: https://build.opensuse.org/request/show/560016 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=194 2017-12-26 15:30:01 +01:00			`ExecStart=/lib/apparmor/apparmor.systemd reload`
Accepting request 480782 from home:kukuk:branches:security:apparmor - Cleanup spec file: - don't use insserv if we afterwards call systemd, this can have bad side effects - remove dead code - remove now obsolete 'distro' checks - Replace init.d script with new wrapper working with systemd OBS-URL: https://build.opensuse.org/request/show/480782 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=172 2017-03-19 20:14:12 +01:00			`ExecReload=/lib/apparmor/apparmor.systemd reload`
Accepting request 560016 from home:cboltz - update to AppArmor 2.12 - add support for 'owner' rules in aa-logprof and aa-genprof - add support for includes with absolute path in aa-logprof etc. (lp#1733700) - update aa-decode to also decode PROCTITLE (lp#1736841) - several profile and abstraction updates, including boo#1069470 - see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.12 for the detailed upstream changelog - drop upstreamed patches: - read_inactive_profile-exactly-once.patch - utils-fix-sorted-save_profiles-regression.diff - lessopen profile: change all 'rix' rules to 'mrix' - update to AppArmor 2.11.95 aka 2.12 beta1 - add JSON interface to aa-logprof and aa-genprof (used by YaST) - drop old YaST interface code - update audio, base and nameservice abstractions - allow @{pid} to match 7-digit pids - see http://wiki.apparmor.net/index.php/ReleaseNotes_2_11_95 for the detailed upstream changelog - drop upstreamed patches - apparmor-yast-cleanup.patch - apparmor-json-support.patch - nameservice-libtirpc.diff - drop obsolete perl modules (YaST no longer needs them) - drop patches that were only needed by the obsolete perl modules: - apparmor-utils-string-split - apparmor-abstractions-no-multiline.diff - drop profiles-sockets-temporary-fix.patch - obsoleted by a fix in apparmor_parser - refresh utils-fix-sorted-save_profiles-regression.diff OBS-URL: https://build.opensuse.org/request/show/560016 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=194 2017-12-26 15:30:01 +01:00
			`# systemd maps 'restart' to 'stop; start' which means removing AppArmor confinement`
			`# from running processes (and not being able to re-apply it later).`
			`# Upstream systemd developers refused to implement an option that allows overriding`
			`# this behaviour, therefore we have to make ExecStop a no-op to error out on the`
			`# safe side.`
			`#`
			`# If you really want to unload all AppArmor profiles, run aa-teardown`
			`ExecStop=/bin/true`
Accepting request 293870 from home:elvigia:branches:security:apparmor - Add a native systemd unit which at the moment only wraps/masks the early boot script. OBS-URL: https://build.opensuse.org/request/show/293870 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=127 2015-04-12 23:08:34 +02:00			`RemainAfterExit=yes`

			`[Install]`
- change /etc/apparmor.d/cache symlink to /var/lib/apparmor/cache/. This is part of the root partition (at least with default partitioning) and should be available earlier than /var/cache/apparmor/ (boo#1015249, boo#980081, bsc#1016259) - add dependency on var-lib.mount to apparmor.service as safety net OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=163 2017-01-24 15:23:09 +01:00			`WantedBy=multi-user.target`