apparmor/apparmor-enable-profile-cache.diff

Enable caching of profiles.

This speeds up loading the (unchanged) profiles about 20 times.

Upstream doesn't enable caching because the cache directory is not
writeable at the time profiles are loaded in Ubuntu.

See also bnc#689458


Also set the cache location to /var/cache/apparmor/ (writeable) and
/usr/share/apparmor/cache/ (packaged precompiled cache), and adjust
the mount requirements in apparmor.service accordingly.

See boo#1069906 and boo#1074429


Signed-off by: Christian Boltz <apparmor@cboltz.de>

Index: parser/parser.conf
===================================================================
--- parser/parser.conf_ORIG	2018-04-19 22:47:18.485179998 +0200
+++ parser/parser.conf	2018-04-19 22:51:12.084588654 +0200
@@ -31,7 +31,10 @@
 # match-string "pattern=aadfa audit perms=crwxamlk/ user::other"
 
 ## Turn creating/updating of the cache on by default
-#write-cache
+write-cache
+
+# cache location (cache writes go to the first directory in the list)
+cache-loc /var/cache/apparmor,/usr/share/apparmor/cache
 
 ## Show cache hits
 #show-cache
--- parser/apparmor.service_ORIG	2018-04-19 22:58:12.631443321 +0200
+++ parser/apparmor.service	2018-04-19 22:58:47.903343044 +0200
@@ -4,7 +4,7 @@ DefaultDependencies=no
 Before=sysinit.target
 After=systemd-journald-audit.socket
 # profile cache
-After=var.mount var-lib.mount
+After=var.mount var-cache.mount usr.mount usr-share.mount
 ConditionSecurity=apparmor
 
 [Service]
Accepting request 87208 from security:apparmor:factory - add patch with upstream changes since 2.7.0 beta2 release - add example parser.conf - print warning if profile cache directory doesn't exist - remove initscript for no longer existing aa-eventd (bnc#720617) - set correct $HOME in aa-notify - enable caching of profiles (= massive speedup) (bnc#689458) - add comments for patches in .spec and comments in some patches - run spec-cleaner - add libtool as buildrequire to make the spec file more reliable OBS-URL: https://build.opensuse.org/request/show/87208 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=24 2011-10-10 12:10:08 +00:00			`Enable caching of profiles.`

			`This speeds up loading the (unchanged) profiles about 20 times.`

Accepting request 598826 from home:cboltz - create and package precompiled cache (/usr/share/apparmor/cache, read-only) (boo#1069906, boo#1074429) - change (writeable) cache directory to /var/cache/apparmor/ - with the new btrfs layout, the only reason for using /var/lib/apparmor/cache/ (which was "it's part of the / subvolume") is gone, and /var/cache makes more sense for the cache - adjust parser.conf (via apparmor-enable-profile-cache.diff) to use both cache locations - clear cache also in %post of abstractions package OBS-URL: https://build.opensuse.org/request/show/598826 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=208 2018-04-19 23:21:57 +00:00			`Upstream doesn't enable caching because the cache directory is not`
Accepting request 87208 from security:apparmor:factory - add patch with upstream changes since 2.7.0 beta2 release - add example parser.conf - print warning if profile cache directory doesn't exist - remove initscript for no longer existing aa-eventd (bnc#720617) - set correct $HOME in aa-notify - enable caching of profiles (= massive speedup) (bnc#689458) - add comments for patches in .spec and comments in some patches - run spec-cleaner - add libtool as buildrequire to make the spec file more reliable OBS-URL: https://build.opensuse.org/request/show/87208 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=24 2011-10-10 12:10:08 +00:00			`writeable at the time profiles are loaded in Ubuntu.`

			`See also bnc#689458`


Accepting request 598826 from home:cboltz - create and package precompiled cache (/usr/share/apparmor/cache, read-only) (boo#1069906, boo#1074429) - change (writeable) cache directory to /var/cache/apparmor/ - with the new btrfs layout, the only reason for using /var/lib/apparmor/cache/ (which was "it's part of the / subvolume") is gone, and /var/cache makes more sense for the cache - adjust parser.conf (via apparmor-enable-profile-cache.diff) to use both cache locations - clear cache also in %post of abstractions package OBS-URL: https://build.opensuse.org/request/show/598826 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=208 2018-04-19 23:21:57 +00:00			`Also set the cache location to /var/cache/apparmor/ (writeable) and`
			`/usr/share/apparmor/cache/ (packaged precompiled cache), and adjust`
			`the mount requirements in apparmor.service accordingly.`

			`See boo#1069906 and boo#1074429`


Accepting request 87208 from security:apparmor:factory - add patch with upstream changes since 2.7.0 beta2 release - add example parser.conf - print warning if profile cache directory doesn't exist - remove initscript for no longer existing aa-eventd (bnc#720617) - set correct $HOME in aa-notify - enable caching of profiles (= massive speedup) (bnc#689458) - add comments for patches in .spec and comments in some patches - run spec-cleaner - add libtool as buildrequire to make the spec file more reliable OBS-URL: https://build.opensuse.org/request/show/87208 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=24 2011-10-10 12:10:08 +00:00			`Signed-off by: Christian Boltz <apparmor@cboltz.de>`

Accepting request 598826 from home:cboltz - create and package precompiled cache (/usr/share/apparmor/cache, read-only) (boo#1069906, boo#1074429) - change (writeable) cache directory to /var/cache/apparmor/ - with the new btrfs layout, the only reason for using /var/lib/apparmor/cache/ (which was "it's part of the / subvolume") is gone, and /var/cache makes more sense for the cache - adjust parser.conf (via apparmor-enable-profile-cache.diff) to use both cache locations - clear cache also in %post of abstractions package OBS-URL: https://build.opensuse.org/request/show/598826 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=208 2018-04-19 23:21:57 +00:00			`Index: parser/parser.conf`
			`===================================================================`
			`--- parser/parser.conf_ORIG 2018-04-19 22:47:18.485179998 +0200`
			`+++ parser/parser.conf 2018-04-19 22:51:12.084588654 +0200`
			`@@ -31,7 +31,10 @@`
Accepting request 87208 from security:apparmor:factory - add patch with upstream changes since 2.7.0 beta2 release - add example parser.conf - print warning if profile cache directory doesn't exist - remove initscript for no longer existing aa-eventd (bnc#720617) - set correct $HOME in aa-notify - enable caching of profiles (= massive speedup) (bnc#689458) - add comments for patches in .spec and comments in some patches - run spec-cleaner - add libtool as buildrequire to make the spec file more reliable OBS-URL: https://build.opensuse.org/request/show/87208 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=24 2011-10-10 12:10:08 +00:00			`# match-string "pattern=aadfa audit perms=crwxamlk/ user::other"`

			`## Turn creating/updating of the cache on by default`
			`-#write-cache`
			`+write-cache`
Accepting request 598826 from home:cboltz - create and package precompiled cache (/usr/share/apparmor/cache, read-only) (boo#1069906, boo#1074429) - change (writeable) cache directory to /var/cache/apparmor/ - with the new btrfs layout, the only reason for using /var/lib/apparmor/cache/ (which was "it's part of the / subvolume") is gone, and /var/cache makes more sense for the cache - adjust parser.conf (via apparmor-enable-profile-cache.diff) to use both cache locations - clear cache also in %post of abstractions package OBS-URL: https://build.opensuse.org/request/show/598826 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=208 2018-04-19 23:21:57 +00:00			`+`
			`+# cache location (cache writes go to the first directory in the list)`
			`+cache-loc /var/cache/apparmor,/usr/share/apparmor/cache`
Accepting request 87208 from security:apparmor:factory - add patch with upstream changes since 2.7.0 beta2 release - add example parser.conf - print warning if profile cache directory doesn't exist - remove initscript for no longer existing aa-eventd (bnc#720617) - set correct $HOME in aa-notify - enable caching of profiles (= massive speedup) (bnc#689458) - add comments for patches in .spec and comments in some patches - run spec-cleaner - add libtool as buildrequire to make the spec file more reliable OBS-URL: https://build.opensuse.org/request/show/87208 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=24 2011-10-10 12:10:08 +00:00
			`## Show cache hits`
			`#show-cache`
Accepting request 598826 from home:cboltz - create and package precompiled cache (/usr/share/apparmor/cache, read-only) (boo#1069906, boo#1074429) - change (writeable) cache directory to /var/cache/apparmor/ - with the new btrfs layout, the only reason for using /var/lib/apparmor/cache/ (which was "it's part of the / subvolume") is gone, and /var/cache makes more sense for the cache - adjust parser.conf (via apparmor-enable-profile-cache.diff) to use both cache locations - clear cache also in %post of abstractions package OBS-URL: https://build.opensuse.org/request/show/598826 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=208 2018-04-19 23:21:57 +00:00			`--- parser/apparmor.service_ORIG 2018-04-19 22:58:12.631443321 +0200`
			`+++ parser/apparmor.service 2018-04-19 22:58:47.903343044 +0200`
			`@@ -4,7 +4,7 @@ DefaultDependencies=no`
			`Before=sysinit.target`
			`After=systemd-journald-audit.socket`
			`# profile cache`
			`-After=var.mount var-lib.mount`
			`+After=var.mount var-cache.mount usr.mount usr-share.mount`
			`ConditionSecurity=apparmor`

			`[Service]`