From a66ff700a28ad1e1dab1a982cbd4171a64b0f619 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Mar 2024 16:17:19 +0000 Subject: [PATCH] build: split systemd drop file in function of their purpose. default: ensure a service use a given profile early: ensure a service start after apparmor. --- cmd/prebuild/main.go | 4 +++- pkg/prebuild/prepare.go | 13 ++++++++++--- systemd/{default => early}/system/haveged.service | 0 .../{default => early}/system/multipathd.service | 0 systemd/{default => early}/system/pcscd.service | 0 .../system/systemd-journald.service | 0 .../system/systemd-networkd.service | 0 .../system/systemd-timesyncd.service | 0 .../system/systemd-userdbd.service | 0 9 files changed, 13 insertions(+), 4 deletions(-) rename systemd/{default => early}/system/haveged.service (100%) rename systemd/{default => early}/system/multipathd.service (100%) rename systemd/{default => early}/system/pcscd.service (100%) rename systemd/{default => early}/system/systemd-journald.service (100%) rename systemd/{default => early}/system/systemd-networkd.service (100%) rename systemd/{default => early}/system/systemd-timesyncd.service (100%) rename systemd/{default => early}/system/systemd-userdbd.service (100%) diff --git a/cmd/prebuild/main.go b/cmd/prebuild/main.go index 27b23a8d..91c9e3da 100644 --- a/cmd/prebuild/main.go +++ b/cmd/prebuild/main.go @@ -52,13 +52,15 @@ func aaPrebuild() error { prebuild.Prepares = append(prebuild.Prepares, prebuild.SetFullSystemPolicy) prebuild.Builds = append(prebuild.Builds, prebuild.BuildFullSystemPolicy) } else { - prebuild.Prepares = append(prebuild.Prepares, prebuild.SetDefaultSystemd) + prebuild.Prepares = append(prebuild.Prepares, prebuild.SetEarlySystemd) } + if complain { prebuild.Builds = append(prebuild.Builds, prebuild.BuildComplain) } else if enforce { prebuild.Builds = append(prebuild.Builds, prebuild.BuildEnforce) } + if abi4 { prebuild.Builds = append(prebuild.Builds, prebuild.BuildABI3) } diff --git a/pkg/prebuild/prepare.go b/pkg/prebuild/prepare.go index 7b7f75ba..8f0b9b46 100644 --- a/pkg/prebuild/prepare.go +++ b/pkg/prebuild/prepare.go @@ -23,6 +23,7 @@ var ( Merge, Configure, SetFlags, + SetProfileSystemd, } PrepareMsg = map[string]string{ "Synchronise": "Initialize a new clean apparmor.d build directory", @@ -30,7 +31,8 @@ var ( "Merge": "Merge all profiles", "Configure": "Set distribution specificities", "SetFlags": "Set flags on some profiles", - "SetDefaultSystemd": "Set systemd unit drop in files to ensure some service start after apparmor", + "SetProfileSystemd": "Use the systemd unit file to set a profile for a given unit", + "SetEarlySystemd": "Set systemd unit drop in files to ensure some service start after apparmor", "SetFullSystemPolicy": "Configure AppArmor for full system policy", } ) @@ -198,11 +200,16 @@ func SetFlags() ([]string, error) { return res, nil } -// Set systemd unit drop in files to ensure some service start after apparmor -func SetDefaultSystemd() ([]string, error) { +// Use the systemd unit file to set a profile for a given unit +func SetProfileSystemd() ([]string, error) { return []string{}, copyTo(paths.New("systemd/default/"), Root.Join("systemd")) } +// Set systemd unit drop in files to ensure some service start after apparmor +func SetEarlySystemd() ([]string, error) { + return []string{}, copyTo(paths.New("systemd/early/"), Root.Join("systemd")) +} + // Set AppArmor for (experimental) full system policy. // See https://apparmor.pujol.io/full-system-policy/ func SetFullSystemPolicy() ([]string, error) { diff --git a/systemd/default/system/haveged.service b/systemd/early/system/haveged.service similarity index 100% rename from systemd/default/system/haveged.service rename to systemd/early/system/haveged.service diff --git a/systemd/default/system/multipathd.service b/systemd/early/system/multipathd.service similarity index 100% rename from systemd/default/system/multipathd.service rename to systemd/early/system/multipathd.service diff --git a/systemd/default/system/pcscd.service b/systemd/early/system/pcscd.service similarity index 100% rename from systemd/default/system/pcscd.service rename to systemd/early/system/pcscd.service diff --git a/systemd/default/system/systemd-journald.service b/systemd/early/system/systemd-journald.service similarity index 100% rename from systemd/default/system/systemd-journald.service rename to systemd/early/system/systemd-journald.service diff --git a/systemd/default/system/systemd-networkd.service b/systemd/early/system/systemd-networkd.service similarity index 100% rename from systemd/default/system/systemd-networkd.service rename to systemd/early/system/systemd-networkd.service diff --git a/systemd/default/system/systemd-timesyncd.service b/systemd/early/system/systemd-timesyncd.service similarity index 100% rename from systemd/default/system/systemd-timesyncd.service rename to systemd/early/system/systemd-timesyncd.service diff --git a/systemd/default/system/systemd-userdbd.service b/systemd/early/system/systemd-userdbd.service similarity index 100% rename from systemd/default/system/systemd-userdbd.service rename to systemd/early/system/systemd-userdbd.service