snapd no longer detects apparmor changes on upgrade
Bug #1569581 reported by
Jamie Strandboge
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Snappy |
Fix Released
|
High
|
Zygmunt Krynicki | ||
apparmor (Ubuntu) |
Triaged
|
High
|
Jamie Strandboge | ||
Xenial |
Triaged
|
High
|
Jamie Strandboge | ||
snapd (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Xenial |
Triaged
|
High
|
Unassigned |
Bug Description
snappy in 16.04 used to compare /usr/share/
snapd must have a means to detect changes to the parser or the abstractions which the snap may #include, otherwise we cannot deliver parser and policy fixes from apparmor to installed snaps. It is fine to use a different method than what we had before, but we need to have something.
Changed in snapd (Ubuntu): | |
importance: | Undecided → High |
Changed in snappy: | |
importance: | Undecided → High |
description: | updated |
Changed in snappy: | |
milestone: | none → sru-1 |
milestone: | sru-1 → sru-2 |
Changed in snappy: | |
status: | New → Triaged |
Changed in snapd (Ubuntu): | |
status: | Triaged → Fix Released |
To post a comment you must log in.
I discussed this issue with Gustavo and we think that apparmor itself should detect this and re-load all profiles when a change to any of the parsers or templates occurs. From snappy's POV we will re-load all profiles for a specific snap each time something in that snap changes *AND* we promise to detect changes to the internal templates built into snappy. We would not like to detect changes to apparmor itself as that can be done by a systemd job shipped with apparmor. That job should simply compile and re-load all the profiles stored in a standard directory (or have a way for snappy to tell apparmor that it stores profiles in a non-standard directory).
What do you think?