[apparmor] [Patch][parser]
John Johansen
john.johansen at canonical.com
Sun Sep 21 06:35:07 UTC 2014
On 09/19/2014 06:22 PM, Seth Arnold wrote:
> On Fri, Sep 19, 2014 at 12:27:21PM -0700, John Johansen wrote:
>> fix: Make the parser behave the same as when driven with xargs -n1
>>
>> Currently the parser is bailing when it fails to load a profile,
>> not processing any potential subsequent profiles in the dir or passed
>> in list. This results in all policy after the first error failing
>> to load, instead of just the profile(s) with the error.
>>
>> This is a different behavior than what has been done by initscripts
>> that have driven it with xargs -n1, passing it a single profile
>> at a time.
>>
>> Fix this so that the parser only exits on first error if specifically
>> told to do so.
>>
>> Note: this does not fix the various failure points in the parser
>> that call exit, instead of returning an error.
>>
>> Signed-off-by: John Johansen <john.johansen at canonical.com>
>
> I believe this will address the failures that Jamie's seen. I'm .. on the
> fence about the idea as a whole but I believe this implementation is good.
>
so it matches the behavior to the dominant way it has been used in the
past. I think its better to load as much policy as possible instead of
bailing at some random point, when we hit a single failure.
At some point in the future we will pickup an --atomic flag or something
similar, at which point everything will get treated as a single unit.
It will get built together, and loaded together, and succeed or fail
as a single unit. Which I am okay with because it is a very predictable
behavior.
More information about the AppArmor
mailing list