[apparmor] force-complain symlinks break cache?
John Johansen
john.johansen at canonical.com
Sun Sep 29 11:52:37 UTC 2013
On 09/25/2013 03:41 PM, Christian Boltz wrote:
> Hello,
>
> it seems using force-complain/ symlinks breaks cache usage:
>
> root at beta:/etc/apparmor.d/force-complain> time rcapparmor reload
> redirecting to systemctl reload apparmor
>
> real 0m0.791s
> user 0m0.004s
> sys 0m0.000s
>
> Now let's create force-complain symlinks for all profiles:
>
> root at beta:/etc/apparmor.d/force-complain> ln -s ../* .
>
> root at beta:/etc/apparmor.d/force-complain> time rcapparmor reload
> redirecting to systemctl reload apparmor
>
> real 0m17.267s
> user 0m0.000s
> sys 0m0.004s
> root at beta:/etc/apparmor.d/force-complain> time rcapparmor reload
> redirecting to systemctl reload apparmor
>
> real 0m17.250s
> user 0m0.000s
> sys 0m0.004s
>
>
> This is a server with openSUSE 13.1 beta with AppArmor 2.8.2.
>
>
yes at the moment the parser doesn't use the cache when force complain
is used. The issue is that force complain changes can't be detected
at the filesystem time stamp level.
Force complain can be done via a symlink or the -C parser flag. Neither
leave an easy to detect change. Adding a symlink can be detected but
removing it, the cache still is newer than the text file.
Its going to take some work to fix this
More information about the AppArmor
mailing list