diff --git a/apparmor-enable-profile-cache.diff b/apparmor-enable-profile-cache.diff index 821d8b8..3ffef7c 100644 --- a/apparmor-enable-profile-cache.diff +++ b/apparmor-enable-profile-cache.diff @@ -2,22 +2,45 @@ Enable caching of profiles. This speeds up loading the (unchanged) profiles about 20 times. -Upstream doesn't enable caching because the cache directory is not +Upstream doesn't enable caching because the cache directory is not writeable at the time profiles are loaded in Ubuntu. See also bnc#689458 +Also set the cache location to /var/cache/apparmor/ (writeable) and +/usr/share/apparmor/cache/ (packaged precompiled cache), and adjust +the mount requirements in apparmor.service accordingly. + +See boo#1069906 and boo#1074429 + + Signed-off by: Christian Boltz ---- a/parser/parser.conf_ORIG 2011-10-09 20:59:31.000000000 +0200 -+++ b/parser/parser.conf 2011-10-09 21:00:15.000000000 +0200 -@@ -28,7 +28,7 @@ +Index: parser/parser.conf +=================================================================== +--- parser/parser.conf_ORIG 2018-04-19 22:47:18.485179998 +0200 ++++ parser/parser.conf 2018-04-19 22:51:12.084588654 +0200 +@@ -31,7 +31,10 @@ # match-string "pattern=aadfa audit perms=crwxamlk/ user::other" ## Turn creating/updating of the cache on by default -#write-cache +write-cache ++ ++# cache location (cache writes go to the first directory in the list) ++cache-loc /var/cache/apparmor,/usr/share/apparmor/cache ## Show cache hits #show-cache +--- parser/apparmor.service_ORIG 2018-04-19 22:58:12.631443321 +0200 ++++ parser/apparmor.service 2018-04-19 22:58:47.903343044 +0200 +@@ -4,7 +4,7 @@ DefaultDependencies=no + Before=sysinit.target + After=systemd-journald-audit.socket + # profile cache +-After=var.mount var-lib.mount ++After=var.mount var-cache.mount usr.mount usr-share.mount + ConditionSecurity=apparmor + + [Service] diff --git a/apparmor.changes b/apparmor.changes index 87c39a1..b4e4851 100644 --- a/apparmor.changes +++ b/apparmor.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Thu Apr 19 22:13:40 UTC 2018 - suse-beta@cboltz.de + +- create and package precompiled cache (/usr/share/apparmor/cache, + read-only) (boo#1069906, boo#1074429) +- change (writeable) cache directory to /var/cache/apparmor/ - with the + new btrfs layout, the only reason for using /var/lib/apparmor/cache/ + (which was "it's part of the / subvolume") is gone, and /var/cache + makes more sense for the cache +- adjust parser.conf (via apparmor-enable-profile-cache.diff) to use both + cache locations +- clear cache also in %post of abstractions package + -------------------------------------------------------------------- Thu Apr 19 19:14:54 UTC 2018 - suse-beta@cboltz.de diff --git a/apparmor.spec b/apparmor.spec index 10691c5..7d28c6b 100644 --- a/apparmor.spec +++ b/apparmor.spec @@ -348,7 +348,7 @@ SubDomain. %prep %setup -q -%patch1 -p1 +%patch1 %patch2 %patch5 -p1 %patch7 @@ -408,6 +408,10 @@ make -C profiles make -C changehat/tomcat_apparmor/tomcat_5_5 CATALINA_HOME=%{CATALINA_HOME} %endif +# pre-build profile cache +# note that -L only works with an absolute path, therefore prefix it with $(pwd) +parser/apparmor_parser --write-cache -QT -L $(pwd)/profiles/cache -I profiles/apparmor.d/ profiles/apparmor.d/ + %check %if %{with python3} export PYTHON=/usr/bin/python3 @@ -421,6 +425,10 @@ make check -C binutils # profiles make check fails for the utils (libapparmor PYTHONPATH issues), therefore only do parser-based checks make -C profiles check-parser +# test for a few files that should exist in the cache +test -f profiles/cache/*/bin.ping +test -f profiles/cache/*/.features + make check -C utils %install @@ -443,11 +451,20 @@ mkdir -p %{buildroot}%{_localstatedir}/log/apparmor %makeinstall -C profiles +install -d -m 755 %{buildroot}/usr/share/apparmor/cache +cp -a profiles/cache/* %{buildroot}/usr/share/apparmor/cache +test -f %{buildroot}/usr/share/apparmor/cache/*/.features +test -f %{buildroot}/usr/share/apparmor/cache/*/bin.ping + %makeinstall -C parser -# default cache dir is /etc/apparmor.d/cache - not the best location. +# default cache dir (up to 2.12) is /etc/apparmor.d/cache - not the best location. # Use /var/lib/apparmor/cache and make /etc/apparmor.d/cache a symlink to it mkdir -p %{buildroot}%{_localstatedir}/lib/apparmor/cache ( cd %{buildroot}/%{_sysconfdir}/apparmor.d/ && ln -s ../../%{_localstatedir}/lib/apparmor/cache cache ) +# default cache dir (starting with 2.13) is /etc/apparmor.d/cache.d - also not the best location +# Use /var/cache/apparmor and make /etc/apparmor.d/cache.d a symlink to it +mkdir -p %{buildroot}%{_localstatedir}/cache/apparmor +( cd %{buildroot}/%{_sysconfdir}/apparmor.d/ && ln -s ../../%{_localstatedir}/cache/apparmor cache.d ) %if %{with apache} %makeinstall -C changehat/mod_apparmor @@ -518,11 +535,13 @@ echo ------------------------------------------------------------------- %dir %attr(-, root, root) %{_sysconfdir}/apparmor %dir %{_sysconfdir}/apparmor.d %{_sysconfdir}/apparmor.d/cache +%{_sysconfdir}/apparmor.d/cache.d /sbin/rcapparmor %{_unitdir}/apparmor.service %config(noreplace) %{_sysconfdir}/apparmor/subdomain.conf %config(noreplace) %{_sysconfdir}/apparmor/parser.conf %{_localstatedir}/lib/apparmor +%{_localstatedir}/cache/apparmor %dir %attr(-, root, root) %{apparmor_bin_prefix} %{apparmor_bin_prefix}/rc.apparmor.functions %{apparmor_bin_prefix}/apparmor.systemd @@ -563,6 +582,8 @@ fi %config(noreplace) %{_sysconfdir}/apparmor.d/sbin.* %config(noreplace) %{_sysconfdir}/apparmor.d/usr.* %config(noreplace) %{_sysconfdir}/apparmor.d/local/* +%dir /usr/share/apparmor/ +/usr/share/apparmor/cache/ /usr/share/apparmor/extra-profiles/ %files utils @@ -714,12 +735,17 @@ export DISABLE_RESTART_ON_UPDATE="yes" %service_del_postun apparmor.service %post abstractions +# workaround for bnc#904620#c8 / lp#1392042 +rm -f /var/cache/apparmor/* 2>/dev/null #restart_on_update apparmor - but non-broken (bnc#853019) systemctl is-active -q apparmor && systemctl reload apparmor ||: %post profiles # workaround for bnc#904620#c8 / lp#1392042 +# old cache location up to 2.12 rm -f /var/lib/apparmor/cache/* 2>/dev/null +# cache location starting with 2.13 +rm -f /var/cache/apparmor/* 2>/dev/null #restart_on_update apparmor - but non-broken (bnc#853019) systemctl is-active -q apparmor && systemctl reload apparmor ||: