[apparmor] Policy cache
John Johansen
john.johansen at canonical.com
Fri Nov 11 04:49:15 UTC 2011
On 11/10/2011 08:34 PM, Seth Arnold wrote:
> On Thu, Nov 10, 2011 at 8:20 PM, John Johansen
> <john.johansen at canonical.com> wrote:
>>> If you really want, make it a config option - but please try to avoid
>>> that AppArmor gets renamed to KAppArmor one day *eg*
>>>
>> ugh kAppArmor yuk
>
> You'd rather have gAppArmor, with no configuration options at all? :)
no as wouldn't that mean I'd have to throw everything out and rewrite it
all.
>
>> I missed faster boot time after a new kernel install. We can't
>> currently just create cache for the new kernel being installed,
>> because another package being installed might come along after and
>> cause cache rebuilds based on the current kernel.
>
> If you can figure out the binary version and features versions from a
> kernel package, we could do the policy re-compiling out of
> /etc/kernel/postinst.d/ to try to get some of them populated in a new
> cache directory (presuming version and features cache directories)
> _before_ reboot. nice nice ionice -c 3 /etc/init.d/apparmor recache &
> could probably get a few rebuilt before a reboot.
right we could but then, another package comes along after the kernel
install, does some policy manipulation (update a profile, drop in a
new one), and then the cache ends up being invalidated and recomputed
again because the package needs to load the profile against the live
system, as it doesn't know when the you are going to reboot (even if
the system is flagged for rebooting) and the service it is updating/
installing is live onces its done.
More information about the AppArmor
mailing list