[apparmor] Bug#735470: Fwd: Bug#735470: Could be implemented centrally with a dpkg trigger instead of requiring every package shipping an apparmor file to use dh_apparmor
John Johansen
john.johansen at canonical.com
Thu Jan 16 22:57:52 UTC 2014
On 01/16/2014 02:49 PM, Kees Cook wrote:
> On Thu, Jan 16, 2014 at 07:37:04PM +0100, Didier 'OdyX' Raboud wrote:
>> Le jeudi, 16 janvier 2014 10.14:14, vous avez écrit :
>>> On Thu, Jan 16, 2014 at 11:11:22AM +0100, Didier 'OdyX' Raboud wrote:
>>>> As far as I understand deb-triggers' manpage, this can be enforced
>>>> using 'activate /etc/apparmor.d/', which will then make the trigger
>>>> run "at the start of the configure operation", which ensures
>>>> exactly what you want.
>>>
>>> Per-policy reloads must happen before a daemon restarts, so they
>>> cannot be triggers.
>>
>> Err…
>>
>> man deb-trigggers contradicts you, in my reading; an 'activate
>> /etc/apparmor.d' triggers' file in apparmor would make its action run
>> _before_ cups (which would have shipped /etc/apparmor.d/usr.sbin.cupsd)
>> would be 'configured' (hence its postinst run).
>>
>> Isn't it?
>
> Right, sorry, you are right, but my original observation stands: we should
> never reload all apparmor profiles when installing a single profile. Just
> the single profile should be reloaded. Otherwise we end up doing very
> CPU expensive work for no reason. The point of dh-apparmor is to reload a
> single profile, not all of them. Doing a trigger for all-profile reload
> isn't something we want. Think of the situation where someone has 5000
> apache virtual host profiles and they update cups. We never want to wait
> for those 5000 to be reloaded when cups's profile is installed. Hence,
> dh_apparmor.
>
Is there a way for a trigger to notice which file was updated?
That way we could use a trigger.
If not another option that comes to mind is we could add a new flag to the
parser that would say reload only if the cache is out of date.
The trigger would have to still do work figuring out which cache files
are out of date but thats still better than reloading everything to the
kernel.
More information about the AppArmor
mailing list