[apparmor] Bug#735470: Fwd: Bug#735470: Could be implemented centrally with a dpkg trigger instead of requiring every package shipping an apparmor file to use dh_apparmor

[Kees Cook]

On Thu, Jan 16, 2014 at 07:37:04PM +0100, Didier 'OdyX' Raboud wrote:
> Le jeudi, 16 janvier 2014 10.14:14, vous avez écrit :
> > On Thu, Jan 16, 2014 at 11:11:22AM +0100, Didier 'OdyX' Raboud wrote:
> > > As far as I understand deb-triggers' manpage, this can be enforced
> > > using 'activate /etc/apparmor.d/', which will then make the trigger
> > > run "at the start of the configure operation", which ensures
> > > exactly what you want.
> > 
> > Per-policy reloads must happen before a daemon restarts, so they
> > cannot be triggers.
> 
> Err…
> 
> man deb-trigggers contradicts you, in my reading; an 'activate 
> /etc/apparmor.d' triggers' file in apparmor would make its action run 
> _before_ cups (which would have shipped /etc/apparmor.d/usr.sbin.cupsd) 
> would be 'configured' (hence its postinst run).
> 
> Isn't it?

Right, sorry, you are right, but my original observation stands: we should
never reload all apparmor profiles when installing a single profile. Just
the single profile should be reloaded. Otherwise we end up doing very
CPU expensive work for no reason. The point of dh-apparmor is to reload a
single profile, not all of them. Doing a trigger for all-profile reload
isn't something we want. Think of the situation where someone has 5000
apache virtual host profiles and they update cups. We never want to wait
for those 5000 to be reloaded when cups's profile is installed. Hence,
dh_apparmor.

-Kees

-- 
Kees Cook