[apparmor] changing policy compiles
Jamie Strandboge
jamie at canonical.com
Tue Sep 27 15:22:47 UTC 2016
On Thu, 2016-09-08 at 00:44 -0700, John Johansen wrote:
> I would like to propose we change how policy compiles are being done
> and cached.
>
> Currently the compiler (apparmor_parser) checks the feature set
> supported by the kernel and the abi and uses this combined information
> to compile the policy. The problem with this is that as features
> support changes in the kernel this mandates that policy must be
> recompiled even if the abi has not changed.
>
> Instead I would like to see the compiler base its caching and compile
> decision only around the compiler and kernel abis. This would mean the
> full feature set supported by the compiler would be included in the
> compile. The backend abi of the policydb allows for incremental
> addition of new features as long as the abi of an existing feature
> doesn't change. The feature set support by the the kernel could still
> be used to provide warnings that certain parts of policy may not be
> enforced by the current kernel.
>
> The net effect of this change would be that the cache could be reused
> between more kernels, meaning fewer policy recompiles. This also
> implies that a precompiled policy could be used to support multiple
> kernels, making it easier to support distribution of pre built cache
> files.
We spoke about this on IRC before but I neglected to comment here. I am
generally in favor of this approach. Speaking for Ubuntu, I'm not quite sure yet
how it could be leveraged effectively in Ubuntu projects or at what priority
this should be, but it seems clear this approach has interesting possibilities
for improving the user experience when managing profile loads on systems with
lots of profiles.
--
Jamie Strandboge | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160927/c599f511/attachment.pgp>
More information about the AppArmor
mailing list