[apparmor] Policy cache
John Johansen
john.johansen at canonical.com
Wed Nov 9 23:38:36 UTC 2011
Currently apparmor uses /etc/apparmor.d/cache as location to cache
precompiled profiles. This is some what an abuse of /etc/ and a more
natural location would be in /var/cache/apparmor/.
However on some systems /var/ may not be mounted when the policy cache
is needed. As such moving to /var/ is problematic, as either policy
must be recompiled on boot, or we end up with cache in both /etc/ and
/var/ on some systems.
With that said we should add an option to the apparmor_parser to allow
setting the cache location. If an alternate cache location is desired
a new default could be set in the /etc/apparmor.d/parser.conf file
The other issue that has been raised about the cache is that it is
only valid for one kernel/feature set. A potential solution to this
is to move to a scheme similar to modules in the kernel.
eg.
/etc/apparmor.d/cache/3.2/...
This would avoid having to recompute the cache on first boot after
a kernel change, and allow keeping the current cache valid.
More information about the AppArmor
mailing list