Comment 31 for bug 1305108

Jamie Strandboge (jdstrand) wrote :

Marc has uploaded packages for apparmor, click-apparmor and ubuntu-touch-session for this. I have tested on a mako device and these changes work well with no processes running out of confinement with a profile defined (which once this lands will unblock bug #1296415).

Furthermore, I tested this on a desktop system with lots of profiles (system profiles with profile loading in the upstart job, system profiles without explicit profile loading (ie, processes confined in the user's session and processes started via an initscript) and click profiles. All of them were loaded upon login with no processes running out of confinement with a profile defined. I tested this with and without a valid cache. Without a valid cache boot was paused for profile compilation (which is intended) and in both cases the profiles were loaded correctly.

Testing will proceed over the weekend and we plan on requesting a silo for landing Monday.

(FYI, we have work items to perform policy compilation during kernel upgrades which is planned for this cycle so desktop and server users should never have to feel policy compilation on boot. Furthermore for touch, work has been done to precompile policy during image generation and Marc's packages contain a parser fix to make that work correctly).