Le jeudi, 16 janvier 2014, 14.49:06 Kees Cook a écrit : > On Thu, Jan 16, 2014 at 07:37:04PM +0100, Didier 'OdyX' Raboud wrote: > > man deb-trigggers contradicts you, in my reading; an 'activate > > /etc/apparmor.d' triggers' file in apparmor would make its action > > run _before_ cups (which would have shipped > > /etc/apparmor.d/usr.sbin.cupsd) would be 'configured' (hence its > > postinst run). > > Right, sorry, you are right, but my original observation stands: we > should never reload all apparmor profiles when installing a single > profile. Just the single profile should be reloaded. Otherwise we end > up doing very CPU expensive work for no reason. The point of > dh-apparmor is to reload a single profile, not all of them.
That's quite easily circumvented in the trigger code by maintaining a list of timestamps for the various apparmor.d/* files, as is done for cups: http://sources.debian.net/src/cups/1.7.1-2/debian/cups.postinst#L181 Then the trigger can reload only the concerned profiles, and never do it for all of them. (Using the dpkg hashsums instead of timestamps would allow doing it only for _changed_ profiles too.) I'll try implementing something along those lines this week-end. Cheers, OdyX
signature.asc
Description: This is a digitally signed message part.
