WIP: Multiple policy cache directories
Implement support for multiple policy cache directories. A new policy cache dir will exist for each unique set of AppArmor kernel features that the parser sees. By default, the policy cache directories are located in
/etc/apparmor.d/cache.d/. Each policy cache directory is a 8 character string which is the output of a djb2 hash where the input is the features string that's constructed from apparmorfs (or a different source if specified on the parser command line).
This results in cache directories such as
/etc/aparmor.d/cache.d/db76596e/. Their contents are identical to the contents of
Admins can discover the location of the policy cache directory path of the currently running kernel by passing the
--print-cache-dir option to
Outside of general discussion about this approach, there are some known issues with this merge request that need addressing before the "WIP" prefix can be removed from the merge request:
The parser does not yet expose the
- Hash collisions are not detected/handled. (Is this needed?)
- Tests are needed to identify changes in the <features_id> calculations so that we don't unknowingly modify the algorithm.
- Tests are needed to stress this feature some more.
- Consider how this feature melds with policy versioning.