apparmor_parser should be able to recompile policy on bad cache
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apparmor (Ubuntu) |
Fix Released
|
High
|
John Johansen |
Bug Description
Right now, if given --cache-loc the parser will see if there is a cache file. If there isn't and --write-cache is used, the parser will compile the policy and put the binary cache in --cache-loc (fine). If there is a cache file, it will load the cache file (also fine). If the cache file is corrupt, the policy is not loaded into the kernel.
Not loading the policy into the kernel may be fine for certain environments, but there should be an option on if the cache file is corrupt, to delete it, recompile the policy and write out a new cache file. This would be very worthwhile for Ubuntu's cache loading since there is no way to recover from a bad cache file without user intervention.
Setting to 'High' with tags to indicate that we want to include this on shipping devices but that it can be delivered as OTA.
Related branches
Changed in apparmor (Ubuntu): | |
importance: | Undecided → High |
status: | New → Triaged |
tags: | added: ota-1 rtm14 |
description: | updated |
Changed in apparmor (Ubuntu): | |
status: | Triaged → In Progress |
assignee: | nobody → John Johansen (jjohansen) |
This bug was fixed in the package apparmor - 2.8.96~ 2652-0ubuntu5
--------------- 2652-0ubuntu5) utopic; urgency=medium
apparmor (2.8.96~
[ Jamie Strandboge ] helpers- updates. patch: update ubuntu-helpers for unix mediation lib/apparmor/ functions:
* sanitized-
* 10-lp1371771.patch: don't exit prematurely and fail to load remaining
policy if encounter a corrupt cache file (LP: #1371771)
* 11-lp1371765.patch: if a cache load fails, attempt to rebuild and load it
(LP: #1371765)
* debian/
- don't return 0 on parsing failure. Patch thanks to Felix Geyer
(LP: #1370228)
- use xargs -n1 when we don't have cache files, but omit it when we do.
This allows taking full advantage of xargs -P when we need it most,
without the cost when we don't.
[ Steve Beattie ] socketpair_ tests_for_ af_unix. patch, socketpair_ tests.patch: update socketpair regression tests for
* update_
fix_
af_unix socket mediation
-- Jamie Strandboge <email address hidden> Mon, 22 Sep 2014 09:39:10 -0500