Ubuntu
apparmor package

apparmor_parser should be able to recompile policy on bad cache

Bug #1371765 reported by Jamie Strandboge
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
High
John Johansen

Bug Description

Right now, if given --cache-loc the parser will see if there is a cache file. If there isn't and --write-cache is used, the parser will compile the policy and put the binary cache in --cache-loc (fine). If there is a cache file, it will load the cache file (also fine). If the cache file is corrupt, the policy is not loaded into the kernel.

Not loading the policy into the kernel may be fine for certain environments, but there should be an option on if the cache file is corrupt, to delete it, recompile the policy and write out a new cache file. This would be very worthwhile for Ubuntu's cache loading since there is no way to recover from a bad cache file without user intervention.

Setting to 'High' with tags to indicate that we want to include this on shipping devices but that it can be delivered as OTA.

See original description
Tags: ota-1 rtm14
Jamie Strandboge (jdstrand)
Changed in apparmor (Ubuntu):
importance: Undecided → High
status: New → Triaged
tags: added: ota-1 rtm14
description: updated
Jamie Strandboge (jdstrand)
Changed in apparmor (Ubuntu):
status: Triaged → In Progress
assignee: nobody → John Johansen (jjohansen)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.8.96~2652-0ubuntu5

---------------
apparmor (2.8.96~2652-0ubuntu5) utopic; urgency=medium

  [ Jamie Strandboge ]
  * sanitized-helpers-updates.patch: update ubuntu-helpers for unix mediation
  * 10-lp1371771.patch: don't exit prematurely and fail to load remaining
    policy if encounter a corrupt cache file (LP: #1371771)
  * 11-lp1371765.patch: if a cache load fails, attempt to rebuild and load it
    (LP: #1371765)
  * debian/lib/apparmor/functions:
    - don't return 0 on parsing failure. Patch thanks to Felix Geyer
      (LP: #1370228)
    - use xargs -n1 when we don't have cache files, but omit it when we do.
      This allows taking full advantage of xargs -P when we need it most,
      without the cost when we don't.

  [ Steve Beattie ]
  * update_socketpair_tests_for_af_unix.patch,
    fix_socketpair_tests.patch: update socketpair regression tests for
    af_unix socket mediation
 -- Jamie Strandboge <email address hidden> Mon, 22 Sep 2014 09:39:10 -0500

Changed in apparmor (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.