[apparmor] Policy cache
Kees Cook
kees at ubuntu.com
Wed Nov 9 23:52:02 UTC 2011
On Wed, Nov 09, 2011 at 03:38:36PM -0800, John Johansen wrote:
> With that said we should add an option to the apparmor_parser to allow
> setting the cache location. If an alternate cache location is desired
> a new default could be set in the /etc/apparmor.d/parser.conf file
I would recommend /lib/apparmor/cache as the new upstream default location.
It should be an option, though, yes.
> The other issue that has been raised about the cache is that it is
> only valid for one kernel/feature set. A potential solution to this
> is to move to a scheme similar to modules in the kernel.
>
> eg.
> /etc/apparmor.d/cache/3.2/...
>
> This would avoid having to recompute the cache on first boot after
> a kernel change, and allow keeping the current cache valid.
Oh, I do like that idea. It'd need more than just the kernel name, though,
since it also examines features. Maybe a features hash? Everything I can
think of right now is rather ugly, though:
/lib/apparmor/cache/3.2.0-5-generic/f3.1-c2.0-n1.0-ch1.5-cp1.1-ns1.1-r1.1/
vs
/lib/apparmor/cache/3.2.0-5-generic/53a52f9de6ecda8934225775c5aedbd0/
Hash is ugly, but ends up being actually shorter than a massively
abbreviated feature list. And it lets us add more to the hash if there is
every some non-feature reason to invalidate caches.
(This needs distro support, though, to clean up caches on kernel removal.
Ubuntu's apparmor can easily ship a script in /etc/kernel/postrm.d/
though.)
-Kees
--
Kees Cook
More information about the AppArmor
mailing list