mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 16:35:02 +01:00
671ddccf19
... and the apparmor.systemd wrapper.
Also add a new 'install-systemd' target to the Makefile to install these
systemd-related files on (open)SUSE by default. Other distributions can
follow by adding a dependency on 'install-systemd' on their
'install-$DISTRO' target.
Note that apparmor.service has ExecStop=/bin/true to avoid that running
processes get unconfined if someone accidently types
systemctl restart apparmor (instead of using "reload")
Use aa-teardown if you really want to unload all profiles.
The files in this commit are used in openSUSE since a while, and also in
Arch Linux.
BTW: The condition on var-lib.mount is because openSUSE uses
/var/lib/apparmor/cache/ - but with the changed btrfs layout on
openSUSE, maybe I'll change that to /var/cache/apparmor/ which is
a) used by Debian and b) more sane
26 lines
799 B
Desktop File
26 lines
799 B
Desktop File
[Unit]
|
|
Description=Load AppArmor profiles
|
|
DefaultDependencies=no
|
|
Before=sysinit.target
|
|
After=systemd-journald-audit.socket
|
|
# profile cache
|
|
After=var.mount var-lib.mount
|
|
ConditionSecurity=apparmor
|
|
|
|
[Service]
|
|
Type=oneshot
|
|
ExecStart=/lib/apparmor/apparmor.systemd reload
|
|
ExecReload=/lib/apparmor/apparmor.systemd reload
|
|
|
|
# systemd maps 'restart' to 'stop; start' which means removing AppArmor confinement
|
|
# from running processes (and not being able to re-apply it later).
|
|
# Upstream systemd developers refused to implement an option that allows overriding
|
|
# this behaviour, therefore we have to make ExecStop a no-op to error out on the
|
|
# safe side.
|
|
#
|
|
# If you really want to unload all AppArmor profiles, run aa-teardown
|
|
ExecStop=/bin/true
|
|
RemainAfterExit=yes
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|