apparmor_parser doesn't use its time stamp when determining if cache is stale

If the apparmor_parser is updated (outside of current packaging), when doing profile loads it will use the existing cache of compiled profiles, instead of forcing a recompile on profiles. This can cause apparmor to load bad policy if the parser contains a bug fix for the previous version of the parser. This can be worked around in packaging by invalidating the cache and forcing a profile reload when the parser is upgraded. Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-08-31 06:16:03 +00:00 · 2011-03-08 14:49:03 -08:00
parent 258c39d4a5
commit 55bad42088
1 changed files with 7 additions and 0 deletions
--- a/parser/parser_main.c
+++ b/parser/parser_main.c
@@ -805,6 +805,7 @@ int process_profile(int option, char *profilename)
 	char * cachename = NULL;
 	char * cachetemp = NULL;
 	char *basename = NULL;
+	FILE *cmd;

 	/* per-profile states */
 	force_complain = opt_force_complain;
@@ -852,6 +853,12 @@ int process_profile(int option, char *profilename)
 		update_mru_tstamp(yyin);
 	}

+	cmd = fopen("/proc/self/exe", "r");
+	if (cmd) {
+		update_mru_tstamp(cmd);
+		fclose(cmd);
+	}
+
 	retval = yyparse();
 	if (retval != 0)
 		goto out;