apparmor_parser should be able to recompile policy on bad cache

Bug #1371765 reported by Jamie Strandboge on 2014-09-19
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
John Johansen

Bug Description

Right now, if given --cache-loc the parser will see if there is a cache file. If there isn't and --write-cache is used, the parser will compile the policy and put the binary cache in --cache-loc (fine). If there is a cache file, it will load the cache file (also fine). If the cache file is corrupt, the policy is not loaded into the kernel.

Not loading the policy into the kernel may be fine for certain environments, but there should be an option on if the cache file is corrupt, to delete it, recompile the policy and write out a new cache file. This would be very worthwhile for Ubuntu's cache loading since there is no way to recover from a bad cache file without user intervention.

Setting to 'High' with tags to indicate that we want to include this on shipping devices but that it can be delivered as OTA.

Changed in apparmor (Ubuntu):
importance: Undecided → High
status: New → Triaged
tags: added: ota-1 rtm14
description: updated
Changed in apparmor (Ubuntu):
status: Triaged → In Progress
assignee: nobody → John Johansen (jjohansen)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.8.96~2652-0ubuntu5

apparmor (2.8.96~2652-0ubuntu5) utopic; urgency=medium

  [ Jamie Strandboge ]
  * sanitized-helpers-updates.patch: update ubuntu-helpers for unix mediation
  * 10-lp1371771.patch: don't exit prematurely and fail to load remaining
    policy if encounter a corrupt cache file (LP: #1371771)
  * 11-lp1371765.patch: if a cache load fails, attempt to rebuild and load it
    (LP: #1371765)
  * debian/lib/apparmor/functions:
    - don't return 0 on parsing failure. Patch thanks to Felix Geyer
      (LP: #1370228)
    - use xargs -n1 when we don't have cache files, but omit it when we do.
      This allows taking full advantage of xargs -P when we need it most,
      without the cost when we don't.

  [ Steve Beattie ]
  * update_socketpair_tests_for_af_unix.patch,
    fix_socketpair_tests.patch: update socketpair regression tests for
    af_unix socket mediation
 -- Jamie Strandboge <email address hidden> Mon, 22 Sep 2014 09:39:10 -0500

Changed in apparmor (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers