[apparmor] [Patch] [Bug 731184] Re: apparmor_parser fails to consider its own time stamp when determining if profile cache is stale

John Johansen john.johansen at canonical.com
Tue Mar 8 18:50:58 UTC 2011


f the apparmor_parser is updated (outside of current packaging), when
doing profile loads it will use the existing cache of compiled profiles,
instead of forcing a recompile on profiles.

This can cause apparmor to load bad policy if the parser contains a bug
fix for the previous version of the parser.

This can be worked around in packaging by invalidating the cache and
forcing a profile reload when the parser is upgraded.

=== modified file 'parser/parser_main.c'
--- parser/parser_main.c	2011-03-03 23:45:10 +0000
+++ parser/parser_main.c	2011-03-08 18:38:28 +0000
@@ -805,6 +805,7 @@
 	char * cachename = NULL;
 	char * cachetemp = NULL;
 	char *basename = NULL;
+	FILE *cmd;
 
 	/* per-profile states */
 	force_complain = opt_force_complain;
@@ -852,6 +853,12 @@
 		update_mru_tstamp(yyin);
 	}
 
+	cmd = fopen(progname, "r");
+	if (cmd) {
+		update_mru_tstamp(cmd);
+		fclose(cmd);
+	}
+
 	retval = yyparse();
 	if (retval != 0)
 		goto out;




More information about the AppArmor mailing list