[apparmor] Bug#735470: Fwd: Bug#735470: Could be implemented centrally with a dpkg trigger instead of requiring every package shipping an apparmor file to use dh_apparmor

[Kees Cook]

On Thu, Jan 16, 2014 at 11:11:22AM +0100, Didier 'OdyX' Raboud wrote:
> Le mercredi, 15 janvier 2014, 11.14:07 Seth Arnold a écrit :
> > On Wed, Jan 15, 2014 at 07:30:52PM +0100, intrigeri wrote:
> > > From: Didier Raboud <odyx at debian.org>
> > > apparmor could have an 'interest /etc/apparmor.d/' triggers file and
> > > its postinst would then do the machinery to create (or remove) the
> > > /etc/apparmor.d/local/* files accordingly.
> > 
> > This does sound nice, but the next part worries me..
> > 
> > > This could also have the side benefit of only running
> > > apparmor_parser once for all files installed at the same time.
> > 
> > When would this single apparmor_parser run happen? It needs to happen
> > before daemons are started or restarted in their postinst scripts,
> > otherwise the AppArmor policy won't be enforced.
> 
> As far as I understand deb-triggers' manpage, this can be enforced using 
> 'activate /etc/apparmor.d/', which will then make the trigger run "at 
> the start of the configure operation", which ensures exactly what you 
> want.

Per-policy reloads must happen before a daemon restarts, so they cannot be
triggers.

All-policy reloads should be avoided entirely, so they shouldn't be
triggers either. :)

-Kees

-- 
Kees Cook