Control: tag -1 + upstream
Hi,
upstream/parser developers, there's a question for you at the bottom.
Marco d'Itri:
> "systemctl status apparmor" deletes the
> /etc/apparmor.d/cache/CACHEDIR.TAG that I created.
Confirmed.
> Also, please ship a CACHEDIR.TAG file in the apparmor package if the
> cache directory cannot be moved out of /etc/.
Good idea.
I've taken a look. It's easy to patch /lib/apparmor/functions to avoid
deleting that file:
- num=`find "$cache_dir" -type f ! -name '.features' | wc -l`
+ num=`find "$cache_dir" -type f ! -name '.features' ! -name
'CACHEDIR.TAG' | wc -l`
clear_cache_system() {
- find "$PROFILES_CACHE" -maxdepth 1 -type f -print0 | xargs -0 rm -f --
+ find "$PROFILES_CACHE" -maxdepth 1 \
+ -name CACHEDIR.TAG -prune -o \
+ -type f -print0 | xargs -0 rm -f --
}
clear_cache_var() {
- find "$PROFILES_CACHE_VAR" -maxdepth 1 -type f -print0 | xargs -0 rm -f
--
+ find "$PROFILES_CACHE_VAR" -maxdepth 1 \
+ -name CACHEDIR.TAG -prune -o \
+ -type f -print0 | xargs -0 rm -f --
}
… *but* that's not enough. The load_configured_profiles function runs
apparmor_parser with --write-cache, which empties the cache directory
including CACHEDIR.TAG: it calls aa_policy_cache_remove, that does
return _aa_dirat_for_each(dirfd, path, NULL, clear_cache_cb);
… and then clear_cache_cb deletes the file it receives as argument as
long as it's a regular file.
Dear upstream/parser developers, would it feel crazy to modify
clear_cache_cb to ignore the passed file if its basename is
CACHEDIR.TAG? Or should _aa_dirat_for_each get a list of excluded file
names as a new argument, or something similar?
If any of these approaches seems acceptable, is anyone around willing
to write this patch, or should I try to find a C person elsewhere?
Thanks in advance!
Cheers,
--
intrigeri
