apparmor_parser fails to consider its own time stamp when determining if profile cache is stale
Bug #731184 reported by
John Johansen
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
Fix Released
|
Medium
|
Unassigned | ||
2.6 |
Fix Released
|
Medium
|
Unassigned |
Bug Description
If the apparmor_parser is updated (outside of current packaging), when doing profile loads it will use the existing cache of compiled profiles, instead of forcing a recompile on profiles.
This can cause apparmor to load bad policy if the parser contains a bug fix for the previous version of the parser.
This can be worked around in packaging by invalidating the cache and forcing a profile reload when the parser is upgraded.
Changed in apparmor: | |
status: | New → Triaged |
importance: | Undecided → Medium |
milestone: | none → 2.6.1 |
To post a comment you must log in.
The Ubuntu packaging for the parser already does this.
For a more air-tight solution, the parser version should likely be included in the future cache metadata.