Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
interfaces/apparmor: use the cache in mtime-resilient way
This patch changes how we invoke apparmor_parser (along with the set of options we pass for cache control). In the past we would just ask apparmor to parse, compile, load into the kernel and write the cache, for any profiles (changed or unchanged) we know about, for a given snap. This was a safe default, we delegate the task of making this fast to apparmor_parser and just ask it to load _all_ of the profiles, period. On devices like the Raspberry Pi, that don't have a battery backed real-time clock, we ran into an issue where on early boot, before NTP had a chance to correct it, the time was essentially stuck in some form of 2016. Here all the source profiles were correct (after being re-written by snapd on system key change in the early boot), the cache was however from the future (since the device wrote the cache on prior boot when it was NTP-synced into 2018). When the cache is from the future it is used, regardless of the contents of the source files. This resulted in apparmor profiles from the previous boot (and old system key) to apply to the freshly booted system, with catastrophic effects. While we wait for apparmor to improve its caching in apparmor 2.13 and beyond we can do a simple workaround. Whenever we detect that an apparmor profile has _really_ changed on disk (and this is simple thanks to the ensure-dir-state approach that we use) we call apparmor_parser with an extra command line argument, --skip-cache-read, that totally ignores the cache (and its perhaps-futuristic mtime), parsers, compiles, load the profile and _writes a new cache_ This way, while our booting device may think it is 2016, it will at least generate and _load_ the updated security profiles correctly. Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
- Loading branch information
Showing
3 changed files
with
66 additions
and
26 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters