Public bug reported: User space trusted helpers have no way to detect when policy changes have been loaded into the kernel. This prevents the applications from being able to cache permission queries. Currently trusted helpers have not done caching (wish list feature), however the gsetting proxy requires userspace caching of permissions due to how gsettings proxy has to work.
This means that policy loads result in stale gsettings policy to results in incorrect mediation. Add a revision file to the apparmorfs interface that allows detection of the current revision number for apparmor policy. This file can be read like a pipe, or used via poll, which is sufficient for the gsettings proxy detect changes and invalidate its cache. ** Affects: linux (Ubuntu) Importance: Undecided Status: New ** Affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New ** Affects: linux (Ubuntu Zesty) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Zesty) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1678032 Title: apparmor: does not provide a way to detect policy updataes Status in linux package in Ubuntu: New Status in linux source package in Xenial: New Status in linux source package in Yakkety: New Status in linux source package in Zesty: New Bug description: User space trusted helpers have no way to detect when policy changes have been loaded into the kernel. This prevents the applications from being able to cache permission queries. Currently trusted helpers have not done caching (wish list feature), however the gsetting proxy requires userspace caching of permissions due to how gsettings proxy has to work. This means that policy loads result in stale gsettings policy to results in incorrect mediation. Add a revision file to the apparmorfs interface that allows detection of the current revision number for apparmor policy. This file can be read like a pipe, or used via poll, which is sufficient for the gsettings proxy detect changes and invalidate its cache. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1678032/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp