This step is not quite right if you are talking about snapd’s invocation of apparmor_parser. Since snapd will look at what is on disk and what it expects, if they are different, I would expect that snapd would call apparmor_parser without considering the cache (ie, this step should use --skip-read-cache) since it knows it needs to update the cache. However, if you are talking about the apparmor service, then yes, it will use the 2018 cache files since the time is off.
But snapd doesn’t use --skip-read-cache, I was describing the current behavior. We can obviously add --skip-read-cache to snapd but this would nullify all optimizations since we call apparmor_parser for all profiles even if they don’t change: https://github.com/snapcore/snapd/blob/master/interfaces/apparmor/backend.go#L346
1 Like
I seem to have forgotten we are doing that. I thought the whole point of EnsureDir was to avoid calling apparmor_parser. --skip-read-cache could be another thing to consider.
Yes, the design of ensure is that it can detect changes but we said we would not rely on that since we really want to measure the profile in the kernel. We could expand the logic to compile profiles (using content caching perhaps), measure the profile in the kernel and only inject if they actually differ.