[apparmor] Bug#735470: Fwd: Bug#735470: Could be implemented centrally with a dpkg trigger instead of requiring every package shipping an apparmor file to use dh_apparmor
Didier 'OdyX' Raboud
odyx at debian.org
Fri Jan 17 10:26:59 UTC 2014
Le jeudi, 16 janvier 2014, 14.49:06 Kees Cook a écrit :
> On Thu, Jan 16, 2014 at 07:37:04PM +0100, Didier 'OdyX' Raboud wrote:
> > man deb-trigggers contradicts you, in my reading; an 'activate
> > /etc/apparmor.d' triggers' file in apparmor would make its action
> > run _before_ cups (which would have shipped
> > /etc/apparmor.d/usr.sbin.cupsd) would be 'configured' (hence its
> > postinst run).
>
> Right, sorry, you are right, but my original observation stands: we
> should never reload all apparmor profiles when installing a single
> profile. Just the single profile should be reloaded. Otherwise we end
> up doing very CPU expensive work for no reason. The point of
> dh-apparmor is to reload a single profile, not all of them.
That's quite easily circumvented in the trigger code by maintaining a
list of timestamps for the various apparmor.d/* files, as is done for
cups:
http://sources.debian.net/src/cups/1.7.1-2/debian/cups.postinst#L181
Then the trigger can reload only the concerned profiles, and never do it
for all of them. (Using the dpkg hashsums instead of timestamps would
allow doing it only for _changed_ profiles too.)
I'll try implementing something along those lines this week-end.
Cheers,
OdyX
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 665 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140117/d40037ec/attachment.pgp>
More information about the AppArmor
mailing list