Accepting request 598826 from home:cboltz

- create and package precompiled cache (/usr/share/apparmor/cache,
  read-only) (boo#1069906, boo#1074429)
- change (writeable) cache directory to /var/cache/apparmor/ - with the
  new btrfs layout, the only reason for using /var/lib/apparmor/cache/
  (which was "it's part of the / subvolume") is gone, and /var/cache
  makes more sense for the cache
- adjust parser.conf (via apparmor-enable-profile-cache.diff) to use both
  cache locations
- clear cache also in %post of abstractions package

OBS-URL: https://build.opensuse.org/request/show/598826
OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=208
This commit is contained in:
Christian Boltz 2018-04-19 23:21:57 +00:00 committed by Git OBS Bridge
parent d3384f4923
commit 2cd05a8c5f
3 changed files with 68 additions and 6 deletions

View File

@ -2,22 +2,45 @@ Enable caching of profiles.
This speeds up loading the (unchanged) profiles about 20 times. This speeds up loading the (unchanged) profiles about 20 times.
Upstream doesn't enable caching because the cache directory is not Upstream doesn't enable caching because the cache directory is not
writeable at the time profiles are loaded in Ubuntu. writeable at the time profiles are loaded in Ubuntu.
See also bnc#689458 See also bnc#689458
Also set the cache location to /var/cache/apparmor/ (writeable) and
/usr/share/apparmor/cache/ (packaged precompiled cache), and adjust
the mount requirements in apparmor.service accordingly.
See boo#1069906 and boo#1074429
Signed-off by: Christian Boltz <apparmor@cboltz.de> Signed-off by: Christian Boltz <apparmor@cboltz.de>
--- a/parser/parser.conf_ORIG 2011-10-09 20:59:31.000000000 +0200 Index: parser/parser.conf
+++ b/parser/parser.conf 2011-10-09 21:00:15.000000000 +0200 ===================================================================
@@ -28,7 +28,7 @@ --- parser/parser.conf_ORIG 2018-04-19 22:47:18.485179998 +0200
+++ parser/parser.conf 2018-04-19 22:51:12.084588654 +0200
@@ -31,7 +31,10 @@
# match-string "pattern=aadfa audit perms=crwxamlk/ user::other" # match-string "pattern=aadfa audit perms=crwxamlk/ user::other"
## Turn creating/updating of the cache on by default ## Turn creating/updating of the cache on by default
-#write-cache -#write-cache
+write-cache +write-cache
+
+# cache location (cache writes go to the first directory in the list)
+cache-loc /var/cache/apparmor,/usr/share/apparmor/cache
## Show cache hits ## Show cache hits
#show-cache #show-cache
--- parser/apparmor.service_ORIG 2018-04-19 22:58:12.631443321 +0200
+++ parser/apparmor.service 2018-04-19 22:58:47.903343044 +0200
@@ -4,7 +4,7 @@ DefaultDependencies=no
Before=sysinit.target
After=systemd-journald-audit.socket
# profile cache
-After=var.mount var-lib.mount
+After=var.mount var-cache.mount usr.mount usr-share.mount
ConditionSecurity=apparmor
[Service]

View File

@ -1,3 +1,16 @@
-------------------------------------------------------------------
Thu Apr 19 22:13:40 UTC 2018 - suse-beta@cboltz.de
- create and package precompiled cache (/usr/share/apparmor/cache,
read-only) (boo#1069906, boo#1074429)
- change (writeable) cache directory to /var/cache/apparmor/ - with the
new btrfs layout, the only reason for using /var/lib/apparmor/cache/
(which was "it's part of the / subvolume") is gone, and /var/cache
makes more sense for the cache
- adjust parser.conf (via apparmor-enable-profile-cache.diff) to use both
cache locations
- clear cache also in %post of abstractions package
-------------------------------------------------------------------- --------------------------------------------------------------------
Thu Apr 19 19:14:54 UTC 2018 - suse-beta@cboltz.de Thu Apr 19 19:14:54 UTC 2018 - suse-beta@cboltz.de

View File

@ -348,7 +348,7 @@ SubDomain.
%prep %prep
%setup -q %setup -q
%patch1 -p1 %patch1
%patch2 %patch2
%patch5 -p1 %patch5 -p1
%patch7 %patch7
@ -408,6 +408,10 @@ make -C profiles
make -C changehat/tomcat_apparmor/tomcat_5_5 CATALINA_HOME=%{CATALINA_HOME} make -C changehat/tomcat_apparmor/tomcat_5_5 CATALINA_HOME=%{CATALINA_HOME}
%endif %endif
# pre-build profile cache
# note that -L only works with an absolute path, therefore prefix it with $(pwd)
parser/apparmor_parser --write-cache -QT -L $(pwd)/profiles/cache -I profiles/apparmor.d/ profiles/apparmor.d/
%check %check
%if %{with python3} %if %{with python3}
export PYTHON=/usr/bin/python3 export PYTHON=/usr/bin/python3
@ -421,6 +425,10 @@ make check -C binutils
# profiles make check fails for the utils (libapparmor PYTHONPATH issues), therefore only do parser-based checks # profiles make check fails for the utils (libapparmor PYTHONPATH issues), therefore only do parser-based checks
make -C profiles check-parser make -C profiles check-parser
# test for a few files that should exist in the cache
test -f profiles/cache/*/bin.ping
test -f profiles/cache/*/.features
make check -C utils make check -C utils
%install %install
@ -443,11 +451,20 @@ mkdir -p %{buildroot}%{_localstatedir}/log/apparmor
%makeinstall -C profiles %makeinstall -C profiles
install -d -m 755 %{buildroot}/usr/share/apparmor/cache
cp -a profiles/cache/* %{buildroot}/usr/share/apparmor/cache
test -f %{buildroot}/usr/share/apparmor/cache/*/.features
test -f %{buildroot}/usr/share/apparmor/cache/*/bin.ping
%makeinstall -C parser %makeinstall -C parser
# default cache dir is /etc/apparmor.d/cache - not the best location. # default cache dir (up to 2.12) is /etc/apparmor.d/cache - not the best location.
# Use /var/lib/apparmor/cache and make /etc/apparmor.d/cache a symlink to it # Use /var/lib/apparmor/cache and make /etc/apparmor.d/cache a symlink to it
mkdir -p %{buildroot}%{_localstatedir}/lib/apparmor/cache mkdir -p %{buildroot}%{_localstatedir}/lib/apparmor/cache
( cd %{buildroot}/%{_sysconfdir}/apparmor.d/ && ln -s ../../%{_localstatedir}/lib/apparmor/cache cache ) ( cd %{buildroot}/%{_sysconfdir}/apparmor.d/ && ln -s ../../%{_localstatedir}/lib/apparmor/cache cache )
# default cache dir (starting with 2.13) is /etc/apparmor.d/cache.d - also not the best location
# Use /var/cache/apparmor and make /etc/apparmor.d/cache.d a symlink to it
mkdir -p %{buildroot}%{_localstatedir}/cache/apparmor
( cd %{buildroot}/%{_sysconfdir}/apparmor.d/ && ln -s ../../%{_localstatedir}/cache/apparmor cache.d )
%if %{with apache} %if %{with apache}
%makeinstall -C changehat/mod_apparmor %makeinstall -C changehat/mod_apparmor
@ -518,11 +535,13 @@ echo -------------------------------------------------------------------
%dir %attr(-, root, root) %{_sysconfdir}/apparmor %dir %attr(-, root, root) %{_sysconfdir}/apparmor
%dir %{_sysconfdir}/apparmor.d %dir %{_sysconfdir}/apparmor.d
%{_sysconfdir}/apparmor.d/cache %{_sysconfdir}/apparmor.d/cache
%{_sysconfdir}/apparmor.d/cache.d
/sbin/rcapparmor /sbin/rcapparmor
%{_unitdir}/apparmor.service %{_unitdir}/apparmor.service
%config(noreplace) %{_sysconfdir}/apparmor/subdomain.conf %config(noreplace) %{_sysconfdir}/apparmor/subdomain.conf
%config(noreplace) %{_sysconfdir}/apparmor/parser.conf %config(noreplace) %{_sysconfdir}/apparmor/parser.conf
%{_localstatedir}/lib/apparmor %{_localstatedir}/lib/apparmor
%{_localstatedir}/cache/apparmor
%dir %attr(-, root, root) %{apparmor_bin_prefix} %dir %attr(-, root, root) %{apparmor_bin_prefix}
%{apparmor_bin_prefix}/rc.apparmor.functions %{apparmor_bin_prefix}/rc.apparmor.functions
%{apparmor_bin_prefix}/apparmor.systemd %{apparmor_bin_prefix}/apparmor.systemd
@ -563,6 +582,8 @@ fi
%config(noreplace) %{_sysconfdir}/apparmor.d/sbin.* %config(noreplace) %{_sysconfdir}/apparmor.d/sbin.*
%config(noreplace) %{_sysconfdir}/apparmor.d/usr.* %config(noreplace) %{_sysconfdir}/apparmor.d/usr.*
%config(noreplace) %{_sysconfdir}/apparmor.d/local/* %config(noreplace) %{_sysconfdir}/apparmor.d/local/*
%dir /usr/share/apparmor/
/usr/share/apparmor/cache/
/usr/share/apparmor/extra-profiles/ /usr/share/apparmor/extra-profiles/
%files utils %files utils
@ -714,12 +735,17 @@ export DISABLE_RESTART_ON_UPDATE="yes"
%service_del_postun apparmor.service %service_del_postun apparmor.service
%post abstractions %post abstractions
# workaround for bnc#904620#c8 / lp#1392042
rm -f /var/cache/apparmor/* 2>/dev/null
#restart_on_update apparmor - but non-broken (bnc#853019) #restart_on_update apparmor - but non-broken (bnc#853019)
systemctl is-active -q apparmor && systemctl reload apparmor ||: systemctl is-active -q apparmor && systemctl reload apparmor ||:
%post profiles %post profiles
# workaround for bnc#904620#c8 / lp#1392042 # workaround for bnc#904620#c8 / lp#1392042
# old cache location up to 2.12
rm -f /var/lib/apparmor/cache/* 2>/dev/null rm -f /var/lib/apparmor/cache/* 2>/dev/null
# cache location starting with 2.13
rm -f /var/cache/apparmor/* 2>/dev/null
#restart_on_update apparmor - but non-broken (bnc#853019) #restart_on_update apparmor - but non-broken (bnc#853019)
systemctl is-active -q apparmor && systemctl reload apparmor ||: systemctl is-active -q apparmor && systemctl reload apparmor ||: