Support multiple versions of AppArmor policy cache files

Bug #1384746 reported by Tyler Hicks
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
Fix Released
Medium
Tyler Hicks
apparmor (Ubuntu)
Triaged
Medium
Unassigned
linux (Ubuntu)
Triaged
Medium
Tyler Hicks

Bug Description

The AppArmor parser should support multiple directories of policy cache files. Directories should be specific to a certain AppArmor kernel feature set.

From a distro standpoint, this would allow policy caches to be created during kernel install/upgrade.

Tyler Hicks (tyhicks)
Changed in apparmor (Ubuntu):
importance: Undecided → Medium
status: New → Confirmed
Revision history for this message
Brad Figg (brad-figg) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1384746

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Revision history for this message
Tyler Hicks (tyhicks) wrote :

Once the AppArmor parser supports multiple, versioned policy cache files I will be adding the ability to generate the policy cache files at kernel postinst. This will involve shipping a flattened AppArmor features file in the Ubuntu kernel packages and then calling out to apparmor_parser and specifying the shipped features file. To avoid potential maintenance issues, there may need to be some script/program to generate a flattened features file from the security/apparmor/apparmorfs.c source file.

Changed in linux (Ubuntu):
assignee: nobody → Tyler Hicks (tyhicks)
importance: Undecided → Medium
status: Incomplete → Confirmed
status: Confirmed → Triaged
tags: added: aa-parser
Changed in apparmor (Ubuntu):
status: Confirmed → Triaged
Tyler Hicks (tyhicks)
Changed in apparmor (Ubuntu):
status: Triaged → In Progress
status: In Progress → Confirmed
status: Confirmed → Triaged
Changed in apparmor:
status: Triaged → In Progress
Revision history for this message
intrigeri (intrigeri) wrote :

It seems to me this was fixed & released a while ago.

https://bugs.launchpad.net/apparmor/+bug/1384746/comments/2 could be tracked on a new, follow-up bug, if still desired.

Changed in apparmor:
status: In Progress → Fix Released
Revision history for this message
John Johansen (jjohansen) wrote :

Indeed https://bugs.launchpad.net/apparmor/+bug/1384746/comments/2 should be tracked else where. It really should split out into two separate tracking issues.

1. either generating the feature file from the kernel on build. To track this I have opened https://gitlab.com/apparmor/apparmor/-/issues/217 to track.

2. OS integration so that a kernel packages can build cache files on install. To track this I have opened https://gitlab.com/apparmor/apparmor/-/issues/218

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.