[apparmor] [PATCH 2/2] Set cache file tstamp to the mtime of most recent policy file tstamps

John Johansen john.johansen at canonical.com
Sat Jun 6 18:38:19 UTC 2015

On 06/06/2015 06:49 AM, Christian Boltz wrote:
> Hello,
> Am Freitag, 5. Juni 2015 schrieb John Johansen:
>> Currently the cache file has its mtime set to its creation time, but
>> this can lead to cache issues when a policy file is updated
>> separately from the cache file so that is possible a policy file is
>> newer than the what the cache file was generated from but still fails
>> the comparison because the generated cache file has a newer
>> timestamp.
> This avoids quite some packaging problems, thanks!
> Bonus question: would it make sense to
> a) [simple change] let the cache check look for the exact timestamp 
>    (maybe with +/- 1 second) instead of "cache is newer than all files 
>    involved in the profile"?
The exact check would fail for all but 1 file unless you stored the
timestamps of all files in used in creating the cache. Well unless you
changed the timestamps of all those files to be the same, which has its
own problems.

> b) [more difficult change] store the timestamp (or even a checksum) of 
>    all files involved in the profile/cache file?
I think storing a checksum or hash is the more likely solution. This
wouldn't be too hard.

More information about the AppArmor mailing list