I would like to propose we change how policy compiles are being done and cached.
Currently the compiler (apparmor_parser) checks the feature set supported by the kernel and the abi and uses this combined information to compile the policy. The problem with this is that as features support changes in the kernel this mandates that policy must be recompiled even if the abi has not changed. Instead I would like to see the compiler base its caching and compile decision only around the compiler and kernel abis. This would mean the full feature set supported by the compiler would be included in the compile. The backend abi of the policydb allows for incremental addition of new features as long as the abi of an existing feature doesn't change. The feature set support by the the kernel could still be used to provide warnings that certain parts of policy may not be enforced by the current kernel. The net effect of this change would be that the cache could be reused between more kernels, meaning fewer policy recompiles. This also implies that a precompiled policy could be used to support multiple kernels, making it easier to support distribution of pre built cache files. -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
