cache hit when cache generated from a different profile
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
Triaged
|
Low
|
Unassigned |
Bug Description
AppArmor policy caching does not correctly track which profile generated the cache entry, nor the contents of the profile used to generate the entry which can result in a false positive hit
To replicate
take two versions of the same profile (with some variation) with the same basename, load the one and then the other
apparmor_parser -kWr ./usr.lib.colord
Cache miss: ./usr.lib.colord
apparmor_parser -kWr /etc/apparmor.
Cache hit: /etc/apparmor.
the second profile is different and should result in a cache miss, but because the apparmor_parser is only testing based on the basename of the file and the timestamps involved, the cache is hit and the first version of the profile is used instead of compiling and loading the new version.
Changed in apparmor: | |
importance: | Undecided → Low |
status: | New → Triaged |
tags: | added: aa-parser |