Accepting request 598826 from home:cboltz

- create and package precompiled cache (/usr/share/apparmor/cache,
  read-only) (boo#1069906, boo#1074429)
- change (writeable) cache directory to /var/cache/apparmor/ - with the
  new btrfs layout, the only reason for using /var/lib/apparmor/cache/
  (which was "it's part of the / subvolume") is gone, and /var/cache
  makes more sense for the cache
- adjust parser.conf (via apparmor-enable-profile-cache.diff) to use both
  cache locations
- clear cache also in %post of abstractions package

OBS-URL: https://build.opensuse.org/request/show/598826
OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=208
This commit is contained in:
Christian Boltz 2018-04-19 23:21:57 +00:00 committed by Git OBS Bridge
parent d3384f4923
commit 2cd05a8c5f
3 changed files with 68 additions and 6 deletions

View File

@ -8,16 +8,39 @@ writeable at the time profiles are loaded in Ubuntu.
See also bnc#689458
Also set the cache location to /var/cache/apparmor/ (writeable) and
/usr/share/apparmor/cache/ (packaged precompiled cache), and adjust
the mount requirements in apparmor.service accordingly.
See boo#1069906 and boo#1074429
Signed-off by: Christian Boltz <apparmor@cboltz.de>
--- a/parser/parser.conf_ORIG 2011-10-09 20:59:31.000000000 +0200
+++ b/parser/parser.conf 2011-10-09 21:00:15.000000000 +0200
@@ -28,7 +28,7 @@
Index: parser/parser.conf
===================================================================
--- parser/parser.conf_ORIG 2018-04-19 22:47:18.485179998 +0200
+++ parser/parser.conf 2018-04-19 22:51:12.084588654 +0200
@@ -31,7 +31,10 @@
# match-string "pattern=aadfa audit perms=crwxamlk/ user::other"
## Turn creating/updating of the cache on by default
-#write-cache
+write-cache
+
+# cache location (cache writes go to the first directory in the list)
+cache-loc /var/cache/apparmor,/usr/share/apparmor/cache
## Show cache hits
#show-cache
--- parser/apparmor.service_ORIG 2018-04-19 22:58:12.631443321 +0200
+++ parser/apparmor.service 2018-04-19 22:58:47.903343044 +0200
@@ -4,7 +4,7 @@ DefaultDependencies=no
Before=sysinit.target
After=systemd-journald-audit.socket
# profile cache
-After=var.mount var-lib.mount
+After=var.mount var-cache.mount usr.mount usr-share.mount
ConditionSecurity=apparmor
[Service]

View File

@ -1,3 +1,16 @@
-------------------------------------------------------------------
Thu Apr 19 22:13:40 UTC 2018 - suse-beta@cboltz.de
- create and package precompiled cache (/usr/share/apparmor/cache,
read-only) (boo#1069906, boo#1074429)
- change (writeable) cache directory to /var/cache/apparmor/ - with the
new btrfs layout, the only reason for using /var/lib/apparmor/cache/
(which was "it's part of the / subvolume") is gone, and /var/cache
makes more sense for the cache
- adjust parser.conf (via apparmor-enable-profile-cache.diff) to use both
cache locations
- clear cache also in %post of abstractions package
--------------------------------------------------------------------
Thu Apr 19 19:14:54 UTC 2018 - suse-beta@cboltz.de

View File

@ -348,7 +348,7 @@ SubDomain.
%prep
%setup -q
%patch1 -p1
%patch1
%patch2
%patch5 -p1
%patch7
@ -408,6 +408,10 @@ make -C profiles
make -C changehat/tomcat_apparmor/tomcat_5_5 CATALINA_HOME=%{CATALINA_HOME}
%endif
# pre-build profile cache
# note that -L only works with an absolute path, therefore prefix it with $(pwd)
parser/apparmor_parser --write-cache -QT -L $(pwd)/profiles/cache -I profiles/apparmor.d/ profiles/apparmor.d/
%check
%if %{with python3}
export PYTHON=/usr/bin/python3
@ -421,6 +425,10 @@ make check -C binutils
# profiles make check fails for the utils (libapparmor PYTHONPATH issues), therefore only do parser-based checks
make -C profiles check-parser
# test for a few files that should exist in the cache
test -f profiles/cache/*/bin.ping
test -f profiles/cache/*/.features
make check -C utils
%install
@ -443,11 +451,20 @@ mkdir -p %{buildroot}%{_localstatedir}/log/apparmor
%makeinstall -C profiles
install -d -m 755 %{buildroot}/usr/share/apparmor/cache
cp -a profiles/cache/* %{buildroot}/usr/share/apparmor/cache
test -f %{buildroot}/usr/share/apparmor/cache/*/.features
test -f %{buildroot}/usr/share/apparmor/cache/*/bin.ping
%makeinstall -C parser
# default cache dir is /etc/apparmor.d/cache - not the best location.
# default cache dir (up to 2.12) is /etc/apparmor.d/cache - not the best location.
# Use /var/lib/apparmor/cache and make /etc/apparmor.d/cache a symlink to it
mkdir -p %{buildroot}%{_localstatedir}/lib/apparmor/cache
( cd %{buildroot}/%{_sysconfdir}/apparmor.d/ && ln -s ../../%{_localstatedir}/lib/apparmor/cache cache )
# default cache dir (starting with 2.13) is /etc/apparmor.d/cache.d - also not the best location
# Use /var/cache/apparmor and make /etc/apparmor.d/cache.d a symlink to it
mkdir -p %{buildroot}%{_localstatedir}/cache/apparmor
( cd %{buildroot}/%{_sysconfdir}/apparmor.d/ && ln -s ../../%{_localstatedir}/cache/apparmor cache.d )
%if %{with apache}
%makeinstall -C changehat/mod_apparmor
@ -518,11 +535,13 @@ echo -------------------------------------------------------------------
%dir %attr(-, root, root) %{_sysconfdir}/apparmor
%dir %{_sysconfdir}/apparmor.d
%{_sysconfdir}/apparmor.d/cache
%{_sysconfdir}/apparmor.d/cache.d
/sbin/rcapparmor
%{_unitdir}/apparmor.service
%config(noreplace) %{_sysconfdir}/apparmor/subdomain.conf
%config(noreplace) %{_sysconfdir}/apparmor/parser.conf
%{_localstatedir}/lib/apparmor
%{_localstatedir}/cache/apparmor
%dir %attr(-, root, root) %{apparmor_bin_prefix}
%{apparmor_bin_prefix}/rc.apparmor.functions
%{apparmor_bin_prefix}/apparmor.systemd
@ -563,6 +582,8 @@ fi
%config(noreplace) %{_sysconfdir}/apparmor.d/sbin.*
%config(noreplace) %{_sysconfdir}/apparmor.d/usr.*
%config(noreplace) %{_sysconfdir}/apparmor.d/local/*
%dir /usr/share/apparmor/
/usr/share/apparmor/cache/
/usr/share/apparmor/extra-profiles/
%files utils
@ -714,12 +735,17 @@ export DISABLE_RESTART_ON_UPDATE="yes"
%service_del_postun apparmor.service
%post abstractions
# workaround for bnc#904620#c8 / lp#1392042
rm -f /var/cache/apparmor/* 2>/dev/null
#restart_on_update apparmor - but non-broken (bnc#853019)
systemctl is-active -q apparmor && systemctl reload apparmor ||:
%post profiles
# workaround for bnc#904620#c8 / lp#1392042
# old cache location up to 2.12
rm -f /var/lib/apparmor/cache/* 2>/dev/null
# cache location starting with 2.13
rm -f /var/cache/apparmor/* 2>/dev/null
#restart_on_update apparmor - but non-broken (bnc#853019)
systemctl is-active -q apparmor && systemctl reload apparmor ||: