tparchambault
commented
11 months ago Does the Profiler use the same unit file? I'm thinking of the use-case where we are dry running a proposed rule set (if that's even a thing on the roadmap.)
Closed jw3 closed 8 months ago
tparchambault
commented
11 months ago Does the Profiler use the same unit file? I'm thinking of the use-case where we are dry running a proposed rule set (if that's even a thing on the roadmap.)
Rules can now be reloaded with a signal rather than full daemon reload.
https://github.com/linux-application-whitelisting/fapolicyd/pull/243
Flashback: Trust was moved to using the full daemon reload because Rules required it. Now that Rules can be signaled, Trust could return to a signal. This opens the door for deployments without a daemon reload.
There could be other impacts there though, for example if bad rules were deployed, there might not be a way to write compiled.rules without stopping the daemon. Daemon stopping could become a fallback, with the optimization of not stopping becoming the first attempt.
The summary is that its not clear-cut that this needs to be supported, needs some though.
After a quick read of the linked PR it is not obvious whether rules.d is recalculated in any way, or if compiled.rules is the only thing being reloaded. Ill dig deeper later, but either way we are good, since we are writing still writing our own compiled.rules. This could impact the validity of #555.