From 0acc9a712cb67d6a793eebc2df362e6e95def52e Mon Sep 17 00:00:00 2001
From: David P <megver83@parabola.nu>
Date: Fri, 6 Apr 2018 10:23:47 -0300
Subject: upgpkg: pcr/apparmor 2.12.0-1

---
 pcr/apparmor/apparmor.service | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

(limited to 'pcr/apparmor/apparmor.service')

diff --git a/pcr/apparmor/apparmor.service b/pcr/apparmor/apparmor.service
index 93f273a0d..2490d1bb8 100644
--- a/pcr/apparmor/apparmor.service
+++ b/pcr/apparmor/apparmor.service
@@ -1,13 +1,24 @@
 [Unit]
-Description=AppArmor profiles
+Description=Load AppArmor profiles
 DefaultDependencies=no
-After=local-fs.target
 Before=sysinit.target
+After=systemd-journald-audit.socket
+After=var.mount var-lib.mount
+ConditionSecurity=apparmor
 
 [Service]
 Type=oneshot
-ExecStart=/usr/bin/apparmor_load.sh
-ExecStop=/usr/bin/apparmor_unload.sh
+ExecStart=/usr/lib/apparmor/apparmor.systemd reload
+ExecReload=/usr/lib/apparmor/apparmor.systemd reload
+
+# systemd maps 'restart' to 'stop; start' which means removing AppArmor confinement
+# from running processes (and not being able to re-apply it later).
+# Upstream systemd developers refused to implement an option that allows overriding
+# this behaviour, therefore we have to make ExecStop a no-op to error out on the
+# safe side.
+#
+# If you really want to unload all AppArmor profiles, run   aa-teardown
+ExecStop=/usr/bin/true
 RemainAfterExit=yes
 
 [Install]
-- 
cgit v1.2.3