Questions regarding partial policy load, and the future

[Jamie Strandboge]

On Sat, 2010-06-19 at 17:15 -0700, Seth Arnold wrote:
> [Apologies to Jamie for the initial direct reply only to him.]
> 
> On Sat, Jun 19, 2010 at 1:55 PM, Jamie Strandboge <jamie at canonical.com> wrote:
> > imagine the benefits of doing so now are not that great (ie, we install
> > a new cups profile, and then do a '/etc/init.d/apparmor reload' -- with
> > caching, the load of the cached profiles is nearly instantaneous so the
> > user only really feels the compilation of the new policy, as opposed to
> > before, when all the profiles were recompiled).
> 
> All profiles are recompiled with reload:
> 
> restart|reload|force-reload)
>        log_daemon_msg "Reloading AppArmor profiles"
>        securityfs
>        clear_cache
>        load_configured_profiles
>        rc=$?
>        ...
> 

Ah so it is. I stand corrected. That said, we could reimplement one of
restart or reload (or something else) to work as I thought it did. I see
multiple possibilities for implementation and usage in packaging, but
the basic idea is that we generate the cache file for the new/updated
profile and then trigger a reload that loads the cache files rather then
recompile all the profiles. AIUI, this would be the simulated individual
policy load John mentioned initially.

-- 
Jamie Strandboge             | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
Url : https://lists.ubuntu.com/archives/apparmor/attachments/20100620/c1f363af/attachment.pgp