Accepting request 598826 from home:cboltz
- create and package precompiled cache (/usr/share/apparmor/cache, read-only) (boo#1069906, boo#1074429) - change (writeable) cache directory to /var/cache/apparmor/ - with the new btrfs layout, the only reason for using /var/lib/apparmor/cache/ (which was "it's part of the / subvolume") is gone, and /var/cache makes more sense for the cache - adjust parser.conf (via apparmor-enable-profile-cache.diff) to use both cache locations - clear cache also in %post of abstractions package OBS-URL: https://build.opensuse.org/request/show/598826 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=208
This commit is contained in:
parent
d3384f4923
commit
2cd05a8c5f
@ -2,22 +2,45 @@ Enable caching of profiles.
|
|||||||
|
|
||||||
This speeds up loading the (unchanged) profiles about 20 times.
|
This speeds up loading the (unchanged) profiles about 20 times.
|
||||||
|
|
||||||
Upstream doesn't enable caching because the cache directory is not
|
Upstream doesn't enable caching because the cache directory is not
|
||||||
writeable at the time profiles are loaded in Ubuntu.
|
writeable at the time profiles are loaded in Ubuntu.
|
||||||
|
|
||||||
See also bnc#689458
|
See also bnc#689458
|
||||||
|
|
||||||
|
|
||||||
|
Also set the cache location to /var/cache/apparmor/ (writeable) and
|
||||||
|
/usr/share/apparmor/cache/ (packaged precompiled cache), and adjust
|
||||||
|
the mount requirements in apparmor.service accordingly.
|
||||||
|
|
||||||
|
See boo#1069906 and boo#1074429
|
||||||
|
|
||||||
|
|
||||||
Signed-off by: Christian Boltz <apparmor@cboltz.de>
|
Signed-off by: Christian Boltz <apparmor@cboltz.de>
|
||||||
|
|
||||||
--- a/parser/parser.conf_ORIG 2011-10-09 20:59:31.000000000 +0200
|
Index: parser/parser.conf
|
||||||
+++ b/parser/parser.conf 2011-10-09 21:00:15.000000000 +0200
|
===================================================================
|
||||||
@@ -28,7 +28,7 @@
|
--- parser/parser.conf_ORIG 2018-04-19 22:47:18.485179998 +0200
|
||||||
|
+++ parser/parser.conf 2018-04-19 22:51:12.084588654 +0200
|
||||||
|
@@ -31,7 +31,10 @@
|
||||||
# match-string "pattern=aadfa audit perms=crwxamlk/ user::other"
|
# match-string "pattern=aadfa audit perms=crwxamlk/ user::other"
|
||||||
|
|
||||||
## Turn creating/updating of the cache on by default
|
## Turn creating/updating of the cache on by default
|
||||||
-#write-cache
|
-#write-cache
|
||||||
+write-cache
|
+write-cache
|
||||||
|
+
|
||||||
|
+# cache location (cache writes go to the first directory in the list)
|
||||||
|
+cache-loc /var/cache/apparmor,/usr/share/apparmor/cache
|
||||||
|
|
||||||
## Show cache hits
|
## Show cache hits
|
||||||
#show-cache
|
#show-cache
|
||||||
|
--- parser/apparmor.service_ORIG 2018-04-19 22:58:12.631443321 +0200
|
||||||
|
+++ parser/apparmor.service 2018-04-19 22:58:47.903343044 +0200
|
||||||
|
@@ -4,7 +4,7 @@ DefaultDependencies=no
|
||||||
|
Before=sysinit.target
|
||||||
|
After=systemd-journald-audit.socket
|
||||||
|
# profile cache
|
||||||
|
-After=var.mount var-lib.mount
|
||||||
|
+After=var.mount var-cache.mount usr.mount usr-share.mount
|
||||||
|
ConditionSecurity=apparmor
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
@ -1,3 +1,16 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Apr 19 22:13:40 UTC 2018 - suse-beta@cboltz.de
|
||||||
|
|
||||||
|
- create and package precompiled cache (/usr/share/apparmor/cache,
|
||||||
|
read-only) (boo#1069906, boo#1074429)
|
||||||
|
- change (writeable) cache directory to /var/cache/apparmor/ - with the
|
||||||
|
new btrfs layout, the only reason for using /var/lib/apparmor/cache/
|
||||||
|
(which was "it's part of the / subvolume") is gone, and /var/cache
|
||||||
|
makes more sense for the cache
|
||||||
|
- adjust parser.conf (via apparmor-enable-profile-cache.diff) to use both
|
||||||
|
cache locations
|
||||||
|
- clear cache also in %post of abstractions package
|
||||||
|
|
||||||
--------------------------------------------------------------------
|
--------------------------------------------------------------------
|
||||||
Thu Apr 19 19:14:54 UTC 2018 - suse-beta@cboltz.de
|
Thu Apr 19 19:14:54 UTC 2018 - suse-beta@cboltz.de
|
||||||
|
|
||||||
|
@ -348,7 +348,7 @@ SubDomain.
|
|||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q
|
%setup -q
|
||||||
%patch1 -p1
|
%patch1
|
||||||
%patch2
|
%patch2
|
||||||
%patch5 -p1
|
%patch5 -p1
|
||||||
%patch7
|
%patch7
|
||||||
@ -408,6 +408,10 @@ make -C profiles
|
|||||||
make -C changehat/tomcat_apparmor/tomcat_5_5 CATALINA_HOME=%{CATALINA_HOME}
|
make -C changehat/tomcat_apparmor/tomcat_5_5 CATALINA_HOME=%{CATALINA_HOME}
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
|
# pre-build profile cache
|
||||||
|
# note that -L only works with an absolute path, therefore prefix it with $(pwd)
|
||||||
|
parser/apparmor_parser --write-cache -QT -L $(pwd)/profiles/cache -I profiles/apparmor.d/ profiles/apparmor.d/
|
||||||
|
|
||||||
%check
|
%check
|
||||||
%if %{with python3}
|
%if %{with python3}
|
||||||
export PYTHON=/usr/bin/python3
|
export PYTHON=/usr/bin/python3
|
||||||
@ -421,6 +425,10 @@ make check -C binutils
|
|||||||
# profiles make check fails for the utils (libapparmor PYTHONPATH issues), therefore only do parser-based checks
|
# profiles make check fails for the utils (libapparmor PYTHONPATH issues), therefore only do parser-based checks
|
||||||
make -C profiles check-parser
|
make -C profiles check-parser
|
||||||
|
|
||||||
|
# test for a few files that should exist in the cache
|
||||||
|
test -f profiles/cache/*/bin.ping
|
||||||
|
test -f profiles/cache/*/.features
|
||||||
|
|
||||||
make check -C utils
|
make check -C utils
|
||||||
|
|
||||||
%install
|
%install
|
||||||
@ -443,11 +451,20 @@ mkdir -p %{buildroot}%{_localstatedir}/log/apparmor
|
|||||||
|
|
||||||
%makeinstall -C profiles
|
%makeinstall -C profiles
|
||||||
|
|
||||||
|
install -d -m 755 %{buildroot}/usr/share/apparmor/cache
|
||||||
|
cp -a profiles/cache/* %{buildroot}/usr/share/apparmor/cache
|
||||||
|
test -f %{buildroot}/usr/share/apparmor/cache/*/.features
|
||||||
|
test -f %{buildroot}/usr/share/apparmor/cache/*/bin.ping
|
||||||
|
|
||||||
%makeinstall -C parser
|
%makeinstall -C parser
|
||||||
# default cache dir is /etc/apparmor.d/cache - not the best location.
|
# default cache dir (up to 2.12) is /etc/apparmor.d/cache - not the best location.
|
||||||
# Use /var/lib/apparmor/cache and make /etc/apparmor.d/cache a symlink to it
|
# Use /var/lib/apparmor/cache and make /etc/apparmor.d/cache a symlink to it
|
||||||
mkdir -p %{buildroot}%{_localstatedir}/lib/apparmor/cache
|
mkdir -p %{buildroot}%{_localstatedir}/lib/apparmor/cache
|
||||||
( cd %{buildroot}/%{_sysconfdir}/apparmor.d/ && ln -s ../../%{_localstatedir}/lib/apparmor/cache cache )
|
( cd %{buildroot}/%{_sysconfdir}/apparmor.d/ && ln -s ../../%{_localstatedir}/lib/apparmor/cache cache )
|
||||||
|
# default cache dir (starting with 2.13) is /etc/apparmor.d/cache.d - also not the best location
|
||||||
|
# Use /var/cache/apparmor and make /etc/apparmor.d/cache.d a symlink to it
|
||||||
|
mkdir -p %{buildroot}%{_localstatedir}/cache/apparmor
|
||||||
|
( cd %{buildroot}/%{_sysconfdir}/apparmor.d/ && ln -s ../../%{_localstatedir}/cache/apparmor cache.d )
|
||||||
|
|
||||||
%if %{with apache}
|
%if %{with apache}
|
||||||
%makeinstall -C changehat/mod_apparmor
|
%makeinstall -C changehat/mod_apparmor
|
||||||
@ -518,11 +535,13 @@ echo -------------------------------------------------------------------
|
|||||||
%dir %attr(-, root, root) %{_sysconfdir}/apparmor
|
%dir %attr(-, root, root) %{_sysconfdir}/apparmor
|
||||||
%dir %{_sysconfdir}/apparmor.d
|
%dir %{_sysconfdir}/apparmor.d
|
||||||
%{_sysconfdir}/apparmor.d/cache
|
%{_sysconfdir}/apparmor.d/cache
|
||||||
|
%{_sysconfdir}/apparmor.d/cache.d
|
||||||
/sbin/rcapparmor
|
/sbin/rcapparmor
|
||||||
%{_unitdir}/apparmor.service
|
%{_unitdir}/apparmor.service
|
||||||
%config(noreplace) %{_sysconfdir}/apparmor/subdomain.conf
|
%config(noreplace) %{_sysconfdir}/apparmor/subdomain.conf
|
||||||
%config(noreplace) %{_sysconfdir}/apparmor/parser.conf
|
%config(noreplace) %{_sysconfdir}/apparmor/parser.conf
|
||||||
%{_localstatedir}/lib/apparmor
|
%{_localstatedir}/lib/apparmor
|
||||||
|
%{_localstatedir}/cache/apparmor
|
||||||
%dir %attr(-, root, root) %{apparmor_bin_prefix}
|
%dir %attr(-, root, root) %{apparmor_bin_prefix}
|
||||||
%{apparmor_bin_prefix}/rc.apparmor.functions
|
%{apparmor_bin_prefix}/rc.apparmor.functions
|
||||||
%{apparmor_bin_prefix}/apparmor.systemd
|
%{apparmor_bin_prefix}/apparmor.systemd
|
||||||
@ -563,6 +582,8 @@ fi
|
|||||||
%config(noreplace) %{_sysconfdir}/apparmor.d/sbin.*
|
%config(noreplace) %{_sysconfdir}/apparmor.d/sbin.*
|
||||||
%config(noreplace) %{_sysconfdir}/apparmor.d/usr.*
|
%config(noreplace) %{_sysconfdir}/apparmor.d/usr.*
|
||||||
%config(noreplace) %{_sysconfdir}/apparmor.d/local/*
|
%config(noreplace) %{_sysconfdir}/apparmor.d/local/*
|
||||||
|
%dir /usr/share/apparmor/
|
||||||
|
/usr/share/apparmor/cache/
|
||||||
/usr/share/apparmor/extra-profiles/
|
/usr/share/apparmor/extra-profiles/
|
||||||
|
|
||||||
%files utils
|
%files utils
|
||||||
@ -714,12 +735,17 @@ export DISABLE_RESTART_ON_UPDATE="yes"
|
|||||||
%service_del_postun apparmor.service
|
%service_del_postun apparmor.service
|
||||||
|
|
||||||
%post abstractions
|
%post abstractions
|
||||||
|
# workaround for bnc#904620#c8 / lp#1392042
|
||||||
|
rm -f /var/cache/apparmor/* 2>/dev/null
|
||||||
#restart_on_update apparmor - but non-broken (bnc#853019)
|
#restart_on_update apparmor - but non-broken (bnc#853019)
|
||||||
systemctl is-active -q apparmor && systemctl reload apparmor ||:
|
systemctl is-active -q apparmor && systemctl reload apparmor ||:
|
||||||
|
|
||||||
%post profiles
|
%post profiles
|
||||||
# workaround for bnc#904620#c8 / lp#1392042
|
# workaround for bnc#904620#c8 / lp#1392042
|
||||||
|
# old cache location up to 2.12
|
||||||
rm -f /var/lib/apparmor/cache/* 2>/dev/null
|
rm -f /var/lib/apparmor/cache/* 2>/dev/null
|
||||||
|
# cache location starting with 2.13
|
||||||
|
rm -f /var/cache/apparmor/* 2>/dev/null
|
||||||
#restart_on_update apparmor - but non-broken (bnc#853019)
|
#restart_on_update apparmor - but non-broken (bnc#853019)
|
||||||
systemctl is-active -q apparmor && systemctl reload apparmor ||:
|
systemctl is-active -q apparmor && systemctl reload apparmor ||:
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user