[apparmor] apparmor cache dir error messages

Christian Boltz apparmor at cboltz.de
Wed May 19 21:31:11 UTC 2021 

Hello,

Am Dienstag, 18. Mai 2021, 19:54:55 schrieb mailinglisten at posteo.de:
> Am 17.05.21 um 23:50 schrieb Christian Boltz:
> >>(...)
> >>
> > In theory the packaged pre-compiled cache should match the kernel so
> > that the directory actually gets used. Your error message indicates
> > that there is a mismatch - did you install a non-default kernel?
> > (And BTW, which distribution do you use?)
> 
> opensuse leap 15.2 and actually I do use a non default kernel

OK, that non-default kernel explains why the packaged cache doesn't get 
used.

> > The directory is probably part of a package you've installed [1],
> > therefore I'd recommend to keep it. (Deleting it won't break
> > AppArmor, but your package manager might start to complain about
> > the missing files.)
> 
> I would expect a cache directory below /var and actually there is also
> a cache dir, /var/lib/apparmor/cache/ that contains just a hidden
> filed named .features.

That's an old cache location (up to AppArmor 2.12). IIRC we had to use 
it because of the quite complex btrfs layout older openSUSE releases 
used (with several /var/$whatever subvolumes) + the condition that the 
cache should be available as early as possible on boot.

Newer openSUSE releases have the btrfs subvolumes simplified a lot, 
which also allowed to move the cache to /var/cache/apparmor/ starting 
with AppArmor 2.13. This directory should contain at least one 
subdirectory with cache files that match your running kernel.

> What is the benefit of a pre-compiled cache in contrast to the
> profiles in /etc/apparmor.d/?

The profiles get loaded faster, which is especially noticable on boot.

The exact numbers depend on the profiles you have. For example, on my 
laptop (with several additional non-default profiles, it's 7 seconds 
without cache vs. 0.2s when using the cache.


Regards,

Christian Boltz
-- 
> Womit erstellt ihr so eure Homepages?
mit vim *g*.  Wobei es Leute gibt, die tatsächlich behaupten, das soll
auch mit diesem Betriebssystem - wie heißt es doch gleich - *äh* Emacs
gehen. <SCNR>   [> Bernd Stäglich und Philipp Zacharias in suse-linux]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20210519/f057d3f9/attachment.sig>

More information about the AppArmor mailing list