Bug ID 1205659
Summary Precompiled profile cache causes hard to debug problems on Tumbleweed
Classification openSUSE
Product openSUSE Tumbleweed
Version Current
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component AppArmor
Assignee suse-beta@cboltz.de
Reporter suse-beta@cboltz.de
QA Contact qa-bugs@suse.de
Found By ---
Blocker ---

The AppArmor profile cache is generated and validated (check if it needs to be
updated) purely based on the file timestamps on the involved files. If the
cache file is newer than all involved files in /etc/apparmor.d, the cache file
will be used (and not updated).

This causes problems in Tumbleweed if
- the user has modified an included file (for example local/*) long ago so 
  that it's older than the precompiled cache in apparmor-profiles
- a new kernel with a new cache hash gets released (so the probably valid
  /var/cache/apparmor/$oldhash/$cachefile will no longer be used)

In these cases, the precompiled cache will be loaded, and the modified local/*
file gets ignored. Obviously this also means that the additional permissions
granted in the local/* file will _not_ be allowed.

See the discussion around
https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/message/3XOMZCBAN54ZCGYOCCLGAVYTKQSUZZIP/
for the long version.


The long-term solution is to include a checksum of the text profiles in the
cache file, which is on the TODO list upstream.

Until then, I'll stop shipping the precompiled cache in Tumbleweed.
This might result in a few seconds additional boot time after updates of the
apparmor-profiles package or major kernel updates (with a new AppArmor features
hash), but that's better than loading outdated profile caches into the kernel.

The risk for hitting this problem on Leap is much smaller, because Leap updates
don't include new major kernel versions.


You are receiving this mail because: