apparmor_parser fails to consider its own time stamp when determining if profile cache is stale
Bug #731184 reported by
John Johansen
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| AppArmor |
Fix Released
|
Medium
|
Unassigned | ||
| 2.6 |
Fix Released
|
Medium
|
Unassigned | ||
Bug Description
If the apparmor_parser is updated (outside of current packaging), when doing profile loads it will use the existing cache of compiled profiles, instead of forcing a recompile on profiles.
This can cause apparmor to load bad policy if the parser contains a bug fix for the previous version of the parser.
This can be worked around in packaging by invalidating the cache and forcing a profile reload when the parser is upgraded.
Revision history for this message
| Kees Cook (kees) wrote | #1 |
Revision history for this message
| John Johansen (jjohansen) wrote | #2 |
| Changed in apparmor: | |
| status: | New → Triaged |
| importance: | Undecided → Medium |
| milestone: | none → 2.6.1 |
Revision history for this message
| Steve Beattie (sbeattie) wrote | #3 |
| Changed in apparmor: | |
| status: | Triaged → Fix Released |
| milestone: | 2.6.1 → none |
Revision history for this message
| Steve Beattie (sbeattie) wrote | #4 |
To post a comment you must log in.
The Ubuntu packaging for the parser already does this.
For a more air-tight solution, the parser version should likely be included in the future cache metadata.