[FFe] need method to reload policy on first boot after system-image upgrade
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
click-apparmor (Ubuntu) |
Fix Released
|
High
|
Jamie Strandboge | ||
Saucy |
Fix Released
|
High
|
Jamie Strandboge |
Bug Description
This bug addresses a deficiency in lxc-android-config (see bug #1215092) by adding an upstart job for click-apparmor. Not only does it handle that bug, it allows us in the future to clean up policy load during boot.
Justification:
Currently updates to system packages for RO images are run on the server with postinst, triggers, etc running there such that when an image based update is delivered, all of this already done. This works fine for most software, but it is not enough for click package apparmor profiles after the system has apparmor policy updates. Consider this scenario:
1. user uses RO Ubuntu image on a device
2. user installs 15 click packages
3. bug is found in apparmor policy for the ubuntu-sdk apparmor template
4. apparmor-
5. image based upgrades picks this up and includes the new apparmor-
6. the update is delivered to users
At this point, newly installed click packages will get the apparmor policy fixes, but not the original 15. It is a requirement for application confinement that we are able to update policy for already installed click packages. Currently, policy updates may happen via apparmor, apparmor-
By shipping a click-apparmor upstart job, we can detect policy changes in these packages and act accordingly. Note, the click system hooks job is not enough, because that correctly uses 'aa-clickhook' without arguments. We must use 'aa-clickhook -f', but only when system policy has changed ('aa-clickhook -f' is more expensive than aa-clickhook on its own, adding a second or more to boot, so we should only use it when we have to).
Related branches
Changed in click-apparmor (Ubuntu Saucy): | |
assignee: | nobody → Jamie Strandboge (jdstrand) |
importance: | Undecided → High |
status: | New → In Progress |
tags: | added: application-confinement |
tags: | added: patch |
18:53 < infinity> jdstrand: Well, FFe granted for the feature, reservations registered about the vomitous implementation. :P