[SRU][X][PATCH 0/1] Provide AppArmor flag indicating binfmt_elf_mmap change

Tyler Hicks tyhicks at canonical.com
Thu May 30 01:52:12 UTC 2019

On 2019-05-29 18:26:55, Steve Beattie wrote:
> [Regression Risk]
> Low, introduces a new file in the apparmor securityfs filesystem, no
> other kernel side behavioral changes.

I think the regression risk is a little more than meets the eye here.
Introducing a new file in apparmorfs will cause a policy cache
invalidation and full policy recompilation when initially booting a
kernel that includes this change. This will happen because the on-disk
/etc/apparmor.d/cache/.features will not match the new apparmorfs

This used to be an issue in the phablet days because a full policy
recompilation took a long time on a phone (> 1 minute, IIRC). We don't
typically do anything to invalidate the cache during the life of a
stable release but I don't think we'll run into any problems these days.
The only thing that gives me a little pause is image based stuff (cloud
and core). However, it might be worth a quick discussion with John and
Jamie before we apply this patch to see if they can think of any
potential problems. Can you do that and reply with the outcome?


More information about the kernel-team mailing list