[apparmor] Policy cache

[Seth Arnold]

On Wed, Nov 9, 2011 at 3:52 PM, Kees Cook <kees at ubuntu.com> wrote:
> On Wed, Nov 09, 2011 at 03:38:36PM -0800, John Johansen wrote:
>> With that said we should add an option to the apparmor_parser to allow
>> setting the cache location.  If an alternate cache location is desired
>> a new default could be set in the /etc/apparmor.d/parser.conf file
>
> I would recommend /lib/apparmor/cache as the new upstream default location.
> It should be an option, though, yes.

I know /lib is usually available early, but I don't care for the idea
of considering it a "writable location". That's what /var is there for
-- per-service dynamic storage. If someone wanted a read-only root
(where /lib lives on most installations) then we'd be an real
annoyance.

> Oh, I do like that idea. It'd need more than just the kernel name, though,
> since it also examines features. Maybe a features hash? Everything I can
> think of right now is rather ugly, though:
>
> /lib/apparmor/cache/3.2.0-5-generic/f3.1-c2.0-n1.0-ch1.5-cp1.1-ns1.1-r1.1/
> vs
> /lib/apparmor/cache/3.2.0-5-generic/53a52f9de6ecda8934225775c5aedbd0/

The hash need not be this complicated: it could just be:

/lib/apparmor/cache/3.2.0-5-generic/f3.1-c2.0-n1.0-ch1.5-cp1.1-ns1.1-r1.1/
reduced to:
/lib/apparmor/cache/3.2.0-5-generic/31201015111111

The short tags of the first approach are implicit by the position in
the shorter string. When new features are added, the string grows in
length. (I'm just looking to avoid the need to write code to parse the
directory name beyond simple equality tests. The first version is fine
if we're agreed that we're not going to try to parse directory
names... :)