[pkg-apparmor] Bug#883584: A reload deletes /etc/apparmor.d/cache/CACHEDIR.TAG

[intrigeri]

Control: tag -1 + upstream

Hi,

upstream/parser developers, there's a question for you at the bottom.

Marco d'Itri:
> "systemctl status apparmor" deletes the 
> /etc/apparmor.d/cache/CACHEDIR.TAG that I created.

Confirmed.

> Also, please ship a CACHEDIR.TAG file in the apparmor package if the 
> cache directory cannot be moved out of /etc/.

Good idea.

I've taken a look. It's easy to patch /lib/apparmor/functions to avoid
deleting that file:

-		num=`find "$cache_dir" -type f ! -name '.features' | wc -l`
+		num=`find "$cache_dir" -type f ! -name '.features' ! -name 'CACHEDIR.TAG' | wc -l`

 clear_cache_system() {
-	find "$PROFILES_CACHE" -maxdepth 1 -type f -print0 | xargs -0 rm -f --
+	find "$PROFILES_CACHE" -maxdepth 1 \
+	    -name CACHEDIR.TAG -prune -o \
+	    -type f -print0 | xargs -0 rm -f --
 }
 
 clear_cache_var() {
-	find "$PROFILES_CACHE_VAR" -maxdepth 1 -type f -print0 | xargs -0 rm -f --
+	find "$PROFILES_CACHE_VAR" -maxdepth 1 \
+	    -name CACHEDIR.TAG -prune -o \
+	    -type f -print0 | xargs -0 rm -f --
 }

… *but* that's not enough. The load_configured_profiles function runs
apparmor_parser with --write-cache, which empties the cache directory
including CACHEDIR.TAG: it calls aa_policy_cache_remove, that does

        return _aa_dirat_for_each(dirfd, path, NULL, clear_cache_cb);

… and then clear_cache_cb deletes the file it receives as argument as
long as it's a regular file.

Dear upstream/parser developers, would it feel crazy to modify
clear_cache_cb to ignore the passed file if its basename is
CACHEDIR.TAG? Or should _aa_dirat_for_each get a list of excluded file
names as a new argument, or something similar?

If any of these approaches seems acceptable, is anyone around willing
to write this patch, or should I try to find a C person elsewhere?

Thanks in advance!

Cheers,
-- 
intrigeri