Overview
Request 567451 revoked
- Add apparmor-prefill-cache.diff, apparmor_prefill_cache.service,
apparmor_prefill_cache.timer: create the cache later if we couldn't
create it during loading of the profiles (read-only root fs)
Loading...
Request History
kukuk created request
- Add apparmor-prefill-cache.diff, apparmor_prefill_cache.service,
apparmor_prefill_cache.timer: create the cache later if we couldn't
create it during loading of the profiles (read-only root fs)
kukuk revoked request
The source project 'home:kukuk:branches:security:apparmor' has been removed
I'm not really happy with this solution (and an upstream discussion came to the same conclusion), but I also understand why it makes sense for Kubic.
TL;DR: I'll accept it as temporary solution and only for Kubic.
For the long version, let me explain a bit more:
The ideal solution would be to ship an AppArmor features file and to pre-build the profile cache on package installation. A features file is basically a list of rule types etc. a kernel supports, so this even works in the installation chroot and independent of the running kernel version.
There is ongoing work upstream to allow precompiling the profiles for multiple kernels / feature files which will probably land in the next AppArmor release. I'd like to delay using a features file until then.
That said - here's a proposal: I'll accept the added service and timer as a temporary solution until AppArmor has support for multiple caches. I'd also like to have it only in Kubic, so please move apparmor_prefill_service.service and apparmor_prefill_cache.timer to a subpackage that only gets installed on Kubic, maybe with "Supplements: packageand(apparmor-parser:openSUSE-Tumbleweed-Kubic-release)".
I'd also recommend not to create the rcapparmor_rebuild_cache symlink to keep this temporary solution less visible - average users can simply use "rcapparmor reload" which also rebuilds the cache if needed.
Oh, another detail - I assume replacing /sbin/ with %{sbindir} effectively means moving rcapparmor to /usr/sbin/. I'm not against this, but please put a compability symlink in /sbin/ for people who have that path hardcoded in some scripts.
(trying CC @cboltz - let's see if this gives me a mail copy of this comment ;-)
@cboltz: review reminder