dirs,interfaces/apparmor: remove unused apparmor cache entries #770

Merged
merged 6 commits into from Apr 1, 2016

Conversation

Projects
None yet
3 participants
Contributor

zyga commented Mar 31, 2016

This branch ensures we remove entries from /var/cache/apparmor corresponding to removed apparmor profiles. We have to do this because apparmor_parser writes the cache but never removes it.

zyga added some commits Mar 31, 2016

dirs: add variable for /var/cache/apparmor
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
interfaces/apparmor: use variable for /var/cache/apparmor
This patch just makes access to apparmor cache directory follow standard
directory variables so that upcoming support to apparmor cache removal
can be easily tested.

Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
interfaces/apparmor: add RemoveCachedProfile()
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
interfaces/apparmor: remove cache when removing profile
This patch ensures that we remove the apparmor cache file when removing
the profile text. The cache is written by apparmor_parser but is never
removed.

Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
interfaces/apparmor/apparmor_test.go
@@ -70,6 +73,22 @@ apparmor_parser output:
"--replace --write-cache -O no-expr-simplify --cache-loc=/var/cache/apparmor /path/to/snap.samba.smbd"})
@jdstrand

jdstrand Mar 31, 2016

Contributor

This context for the diff shows a hard-coded --cache-loc. Please adjust it and any other uses of --cache-loc. With those changes, LGTM.

@zyga

zyga Mar 31, 2016

Contributor

This is okay (in this case) because we don't divert the root directory. I can add the diversion to ensure we are indeed using the variable name.

interfaces/apparmor/backend.go
@@ -169,12 +169,14 @@ func reloadProfiles(profiles []string) error {
return nil
}
-func unloadProfiles(profiles []string) error {
+func unloadAndRemoveCachedProfiles(profiles []string) error {
@niemeyer

niemeyer Mar 31, 2016

Contributor

Let's please keep the original function name. The point is still to unload the profile. The fact we clean up the cache is an implementation detail of it.

@zyga

zyga Apr 1, 2016

Contributor

Done

interfaces/apparmor/backend_test.go
+ err = os.MkdirAll(dirs.AppArmorCacheDir, 0700)
+ c.Assert(err, IsNil)
+ // Mock away any real apparmor interaction
+ s.cmds = map[string]*testutil.MockCmd{
@niemeyer

niemeyer Mar 31, 2016

Contributor

Why do we need this map?

parser := testutil.MockCommand(c, "apparmor_parser" ...)

?

@niemeyer

niemeyer Mar 31, 2016

Contributor

Same for all equivalent entries below.

@zyga

zyga Apr 1, 2016

Contributor

We don't, it's just looks nicer to me to refer to a particular command as it appears on the shell rather than through a go variable name. I can get rid of it easily.

@zyga

zyga Apr 1, 2016

Contributor

Removed now

interfaces/apparmor/apparmor.go
@@ -49,6 +52,11 @@ func LoadProfile(fname string) error {
return nil
}
+// RemoveCachedProfile removes binary cache file from /var/cache/apparmor
+func RemoveCachedProfile(profile string) error {
+ return os.Remove(filepath.Join(dirs.AppArmorCacheDir, profile))
@niemeyer

niemeyer Mar 31, 2016

Contributor

Why isn't that being done inside UnloadProfile itself? This would make it the complement of LoadProfile, which writes the cache.

@zyga

zyga Apr 1, 2016

Contributor

Yeah, that makes sense. Done now.

Contributor

niemeyer commented Mar 31, 2016

LGTM, but it feels like the logic might be simplified a bit in some cases, per inline comments.

zyga added some commits Apr 1, 2016

intefaces/apparmor: unify UnloadProfile and RemoveCachedProfile
This patch merges the two function so that LoadProfile is completely
undone by UnloadProfile. In addition, it is no longer an error for
UnloadProfile to not remove a missing cache entry (for whatever reason,
the cache might be missing and this should not be a problem).

Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
interfaces/apparmor: simplify mocking of apparmor_parser
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>

@zyga zyga merged commit baf26ec into snapcore:master Apr 1, 2016

2 of 4 checks passed

Integration tests Started
Details
autopkgtest Triggered
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
coverage/coveralls Coverage decreased (-0.06%) to 76.523%
Details
+ err = os.MkdirAll(dirs.AppArmorCacheDir, 0700)
+ c.Assert(err, IsNil)
+ // Mock away any real apparmor interaction
+ s.mockCmd = testutil.MockCommand(c, "apparmor_parser", fakeAppArmorParser)
@niemeyer

niemeyer Apr 1, 2016

Contributor

Which mock command? This should probably be s.parserCmd.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment