[apparmor] Policy cache
Kees Cook
kees at ubuntu.com
Thu Nov 10 00:54:48 UTC 2011
On Wed, Nov 09, 2011 at 04:43:44PM -0800, Seth Arnold wrote:
> On Wed, Nov 9, 2011 at 3:52 PM, Kees Cook <kees at ubuntu.com> wrote:
> > On Wed, Nov 09, 2011 at 03:38:36PM -0800, John Johansen wrote:
> >> With that said we should add an option to the apparmor_parser to allow
> >> setting the cache location. If an alternate cache location is desired
> >> a new default could be set in the /etc/apparmor.d/parser.conf file
> >
> > I would recommend /lib/apparmor/cache as the new upstream default location.
> > It should be an option, though, yes.
>
> I know /lib is usually available early, but I don't care for the idea
> of considering it a "writable location". That's what /var is there for
> -- per-service dynamic storage. If someone wanted a read-only root
> (where /lib lives on most installations) then we'd be an real
> annoyance.
Hrm. So /var by default? And people with /var not in / can relocated it as
needed? I'd almost rather keep it in /etc. More people more /var than /lib.
For example, udev uses /etc for cached rules.
> The hash need not be this complicated: it could just be:
>
> /lib/apparmor/cache/3.2.0-5-generic/f3.1-c2.0-n1.0-ch1.5-cp1.1-ns1.1-r1.1/
> reduced to:
> /lib/apparmor/cache/3.2.0-5-generic/31201015111111
But that means we can't ever go from .9 to .10. I think a hash would be
fine -- we're just looking for whatever matches.
-Kees
--
Kees Cook
More information about the AppArmor
mailing list