premature exit if find corrupted cache files

Bug #1371771 reported by Jamie Strandboge on 2014-09-19
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Critical
John Johansen

Bug Description

2.8.96~2652-0ubuntu4 did this:
  * debian/lib/apparmor/functions: don't pass costly '-n1' to xargs in
    foreach_configured_profile() when loading valid cache files. This used to
    be needed when apparmor_parser would generate different binary caches when
    compiling policy one profile at a time and all at once. That bug is long
    fixed and removing -n1 gives a significant performance improvement for
    boots with valid cache files (~65% on armhf)

This is great except there is a parser bug that if there is a corrupted cache file, all further cache files fail to load. While it is unusual to have corrupted cache files, the damage is catastrophic if an early cache file is corrupt since all remaining policy fails to load and requires the user to manually delete the corrupted cache files. Fixing the premature exit will not address corrupt cache files, but will allow the remaining good cache files to load.

Please see bug #1371765 on how to make cache usage more robust.

Changed in apparmor (Ubuntu):
status: New → In Progress
importance: Undecided → Critical
assignee: nobody → John Johansen (jjohansen)
tags: added: rtm14 touch-2014-09-25
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.8.96~2652-0ubuntu5

---------------
apparmor (2.8.96~2652-0ubuntu5) utopic; urgency=medium

  [ Jamie Strandboge ]
  * sanitized-helpers-updates.patch: update ubuntu-helpers for unix mediation
  * 10-lp1371771.patch: don't exit prematurely and fail to load remaining
    policy if encounter a corrupt cache file (LP: #1371771)
  * 11-lp1371765.patch: if a cache load fails, attempt to rebuild and load it
    (LP: #1371765)
  * debian/lib/apparmor/functions:
    - don't return 0 on parsing failure. Patch thanks to Felix Geyer
      (LP: #1370228)
    - use xargs -n1 when we don't have cache files, but omit it when we do.
      This allows taking full advantage of xargs -P when we need it most,
      without the cost when we don't.

  [ Steve Beattie ]
  * update_socketpair_tests_for_af_unix.patch,
    fix_socketpair_tests.patch: update socketpair regression tests for
    af_unix socket mediation
 -- Jamie Strandboge <email address hidden> Mon, 22 Sep 2014 09:39:10 -0500

Changed in apparmor (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers