Accepting request 598826 from home:cboltz
- create and package precompiled cache (/usr/share/apparmor/cache, read-only) (boo#1069906, boo#1074429) - change (writeable) cache directory to /var/cache/apparmor/ - with the new btrfs layout, the only reason for using /var/lib/apparmor/cache/ (which was "it's part of the / subvolume") is gone, and /var/cache makes more sense for the cache - adjust parser.conf (via apparmor-enable-profile-cache.diff) to use both cache locations - clear cache also in %post of abstractions package OBS-URL: https://build.opensuse.org/request/show/598826 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=208
This commit is contained in:
parent
d3384f4923
commit
2cd05a8c5f
@ -2,22 +2,45 @@ Enable caching of profiles.
|
||||
|
||||
This speeds up loading the (unchanged) profiles about 20 times.
|
||||
|
||||
Upstream doesn't enable caching because the cache directory is not
|
||||
Upstream doesn't enable caching because the cache directory is not
|
||||
writeable at the time profiles are loaded in Ubuntu.
|
||||
|
||||
See also bnc#689458
|
||||
|
||||
|
||||
Also set the cache location to /var/cache/apparmor/ (writeable) and
|
||||
/usr/share/apparmor/cache/ (packaged precompiled cache), and adjust
|
||||
the mount requirements in apparmor.service accordingly.
|
||||
|
||||
See boo#1069906 and boo#1074429
|
||||
|
||||
|
||||
Signed-off by: Christian Boltz <apparmor@cboltz.de>
|
||||
|
||||
--- a/parser/parser.conf_ORIG 2011-10-09 20:59:31.000000000 +0200
|
||||
+++ b/parser/parser.conf 2011-10-09 21:00:15.000000000 +0200
|
||||
@@ -28,7 +28,7 @@
|
||||
Index: parser/parser.conf
|
||||
===================================================================
|
||||
--- parser/parser.conf_ORIG 2018-04-19 22:47:18.485179998 +0200
|
||||
+++ parser/parser.conf 2018-04-19 22:51:12.084588654 +0200
|
||||
@@ -31,7 +31,10 @@
|
||||
# match-string "pattern=aadfa audit perms=crwxamlk/ user::other"
|
||||
|
||||
## Turn creating/updating of the cache on by default
|
||||
-#write-cache
|
||||
+write-cache
|
||||
+
|
||||
+# cache location (cache writes go to the first directory in the list)
|
||||
+cache-loc /var/cache/apparmor,/usr/share/apparmor/cache
|
||||
|
||||
## Show cache hits
|
||||
#show-cache
|
||||
--- parser/apparmor.service_ORIG 2018-04-19 22:58:12.631443321 +0200
|
||||
+++ parser/apparmor.service 2018-04-19 22:58:47.903343044 +0200
|
||||
@@ -4,7 +4,7 @@ DefaultDependencies=no
|
||||
Before=sysinit.target
|
||||
After=systemd-journald-audit.socket
|
||||
# profile cache
|
||||
-After=var.mount var-lib.mount
|
||||
+After=var.mount var-cache.mount usr.mount usr-share.mount
|
||||
ConditionSecurity=apparmor
|
||||
|
||||
[Service]
|
||||
|
@ -1,3 +1,16 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Apr 19 22:13:40 UTC 2018 - suse-beta@cboltz.de
|
||||
|
||||
- create and package precompiled cache (/usr/share/apparmor/cache,
|
||||
read-only) (boo#1069906, boo#1074429)
|
||||
- change (writeable) cache directory to /var/cache/apparmor/ - with the
|
||||
new btrfs layout, the only reason for using /var/lib/apparmor/cache/
|
||||
(which was "it's part of the / subvolume") is gone, and /var/cache
|
||||
makes more sense for the cache
|
||||
- adjust parser.conf (via apparmor-enable-profile-cache.diff) to use both
|
||||
cache locations
|
||||
- clear cache also in %post of abstractions package
|
||||
|
||||
--------------------------------------------------------------------
|
||||
Thu Apr 19 19:14:54 UTC 2018 - suse-beta@cboltz.de
|
||||
|
||||
|
@ -348,7 +348,7 @@ SubDomain.
|
||||
|
||||
%prep
|
||||
%setup -q
|
||||
%patch1 -p1
|
||||
%patch1
|
||||
%patch2
|
||||
%patch5 -p1
|
||||
%patch7
|
||||
@ -408,6 +408,10 @@ make -C profiles
|
||||
make -C changehat/tomcat_apparmor/tomcat_5_5 CATALINA_HOME=%{CATALINA_HOME}
|
||||
%endif
|
||||
|
||||
# pre-build profile cache
|
||||
# note that -L only works with an absolute path, therefore prefix it with $(pwd)
|
||||
parser/apparmor_parser --write-cache -QT -L $(pwd)/profiles/cache -I profiles/apparmor.d/ profiles/apparmor.d/
|
||||
|
||||
%check
|
||||
%if %{with python3}
|
||||
export PYTHON=/usr/bin/python3
|
||||
@ -421,6 +425,10 @@ make check -C binutils
|
||||
# profiles make check fails for the utils (libapparmor PYTHONPATH issues), therefore only do parser-based checks
|
||||
make -C profiles check-parser
|
||||
|
||||
# test for a few files that should exist in the cache
|
||||
test -f profiles/cache/*/bin.ping
|
||||
test -f profiles/cache/*/.features
|
||||
|
||||
make check -C utils
|
||||
|
||||
%install
|
||||
@ -443,11 +451,20 @@ mkdir -p %{buildroot}%{_localstatedir}/log/apparmor
|
||||
|
||||
%makeinstall -C profiles
|
||||
|
||||
install -d -m 755 %{buildroot}/usr/share/apparmor/cache
|
||||
cp -a profiles/cache/* %{buildroot}/usr/share/apparmor/cache
|
||||
test -f %{buildroot}/usr/share/apparmor/cache/*/.features
|
||||
test -f %{buildroot}/usr/share/apparmor/cache/*/bin.ping
|
||||
|
||||
%makeinstall -C parser
|
||||
# default cache dir is /etc/apparmor.d/cache - not the best location.
|
||||
# default cache dir (up to 2.12) is /etc/apparmor.d/cache - not the best location.
|
||||
# Use /var/lib/apparmor/cache and make /etc/apparmor.d/cache a symlink to it
|
||||
mkdir -p %{buildroot}%{_localstatedir}/lib/apparmor/cache
|
||||
( cd %{buildroot}/%{_sysconfdir}/apparmor.d/ && ln -s ../../%{_localstatedir}/lib/apparmor/cache cache )
|
||||
# default cache dir (starting with 2.13) is /etc/apparmor.d/cache.d - also not the best location
|
||||
# Use /var/cache/apparmor and make /etc/apparmor.d/cache.d a symlink to it
|
||||
mkdir -p %{buildroot}%{_localstatedir}/cache/apparmor
|
||||
( cd %{buildroot}/%{_sysconfdir}/apparmor.d/ && ln -s ../../%{_localstatedir}/cache/apparmor cache.d )
|
||||
|
||||
%if %{with apache}
|
||||
%makeinstall -C changehat/mod_apparmor
|
||||
@ -518,11 +535,13 @@ echo -------------------------------------------------------------------
|
||||
%dir %attr(-, root, root) %{_sysconfdir}/apparmor
|
||||
%dir %{_sysconfdir}/apparmor.d
|
||||
%{_sysconfdir}/apparmor.d/cache
|
||||
%{_sysconfdir}/apparmor.d/cache.d
|
||||
/sbin/rcapparmor
|
||||
%{_unitdir}/apparmor.service
|
||||
%config(noreplace) %{_sysconfdir}/apparmor/subdomain.conf
|
||||
%config(noreplace) %{_sysconfdir}/apparmor/parser.conf
|
||||
%{_localstatedir}/lib/apparmor
|
||||
%{_localstatedir}/cache/apparmor
|
||||
%dir %attr(-, root, root) %{apparmor_bin_prefix}
|
||||
%{apparmor_bin_prefix}/rc.apparmor.functions
|
||||
%{apparmor_bin_prefix}/apparmor.systemd
|
||||
@ -563,6 +582,8 @@ fi
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/sbin.*
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/usr.*
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/local/*
|
||||
%dir /usr/share/apparmor/
|
||||
/usr/share/apparmor/cache/
|
||||
/usr/share/apparmor/extra-profiles/
|
||||
|
||||
%files utils
|
||||
@ -714,12 +735,17 @@ export DISABLE_RESTART_ON_UPDATE="yes"
|
||||
%service_del_postun apparmor.service
|
||||
|
||||
%post abstractions
|
||||
# workaround for bnc#904620#c8 / lp#1392042
|
||||
rm -f /var/cache/apparmor/* 2>/dev/null
|
||||
#restart_on_update apparmor - but non-broken (bnc#853019)
|
||||
systemctl is-active -q apparmor && systemctl reload apparmor ||:
|
||||
|
||||
%post profiles
|
||||
# workaround for bnc#904620#c8 / lp#1392042
|
||||
# old cache location up to 2.12
|
||||
rm -f /var/lib/apparmor/cache/* 2>/dev/null
|
||||
# cache location starting with 2.13
|
||||
rm -f /var/cache/apparmor/* 2>/dev/null
|
||||
#restart_on_update apparmor - but non-broken (bnc#853019)
|
||||
systemctl is-active -q apparmor && systemctl reload apparmor ||:
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user