WIP: Multiple policy cache directories
Implement support for multiple policy cache directories. A new policy cache dir will exist for each unique set of AppArmor kernel features that the parser sees. By default, the policy cache directories are located in /etc/apparmor.d/cache.d/
. Each policy cache directory is a 8 character string which is the output of a djb2 hash where the input is the features string that's constructed from apparmorfs (or a different source if specified on the parser command line).
This results in cache directories such as /etc/apparmor.d/cache.d/00001505/
and /etc/aparmor.d/cache.d/db76596e/
. Their contents are identical to the contents of /etc/apparmor.d/cache/
today.
Admins can discover the location of the policy cache directory path of the currently running kernel by passing the --print-cache-dir
option to apparmor_parser
.
Outside of general discussion about this approach, there are some known issues with this merge request that need addressing before the "WIP" prefix can be removed from the merge request:
-
The parser does not yet expose the max_caches
parameter ofaa_policy_cache_new()
to admins. -
Hash collisions are not detected/handled. (Is this needed?) -
Tests are needed to identify changes in the <features_id> calculations so that we don't unknowingly modify the algorithm. -
Tests are needed to stress this feature some more. -
Consider how this feature melds with policy versioning.