[PATCH] apparmor: Add support for local profile customizations

Christian Ehrhardt christian.ehrhardt at canonical.com
Fri Jun 23 07:21:39 UTC 2023 

On Thu, Jun 22, 2023 at 7:11 PM Jim Fehlig <jfehlig at suse.com> wrote:
>
> On 6/22/23 08:50, Andrea Bolognani wrote:
> > On Thu, Jun 08, 2023 at 10:37:43AM -0600, Jim Fehlig wrote:
> >> On 6/8/23 08:11, Andrea Bolognani wrote:
> >>> Note that the Debian package has included this patch[1] for many
> >>> years, and while it partially overlaps with what you've added here, I
> >>> see that local overrides for abstractions are missing.
> >>>
> >>> Is there a specific reason why you skipped them? Or should we add
> >>> those too?
> >>
> >> I assumed users would make VM customizations in the per-VM profiles. And I
> >> suppose overrides of abstractions seems a little odd to me, but that's
> >> subjective :-). I'm fine adding it if there's agreement.
> >
> > The per-VM profile is generated at runtime based on the template, no?
> > AFAIK there is no way for the admin to inject changes that affect a
> > single VM, but I could be wrong about this.
>
> The per-VM profile is only generated once, right? So in theory admins could
> amend existing per-VM profiles with custom config.

You are both right - one is generated once, the other always :-)

In /etc/apparmor.d/libvirt/ you'll have 2 generated files per guest:
1. libvirt-<uuid>
2. libvirt-<uuid>.files

#1 is a wrapper
- it includes abstractions/libvirt-qemu which hold the global rules
- it includes #2
- it is only regenerated when being deleted or in some error
conditions, due to that admins could drop in per-guest rules here
- this worked, but was so far too uncomfortable (UUID as index, how to
find the file, ...) and unreliable (potential to be regenerated in
some conditions, we never guaranteed and therefore never tested, due
to that this was sometimes broken in the past) to be recommended so
far

#2 is the set of rules generated based on the guest config
- This is regenerated on each start as it has to reflect changes to guest XML

=> We might improve on that with the discussions started here to make
the behavior of #1 expected, reliable and tested.

> > Anyway, there might be some changes that are local only but apply to
> > all VMs, and allowing overrides to the abstractions would cater to
> > that use case, so it makes sense to me to implement those as well.
> >
> > Do you mind cooking up a patch so that we can have the whole sha-bang
> > included in the upcoming release? Thanks in advance!
>
> I should have time to do that today.
>
> Regards,
> Jim
>


-- 
Christian Ehrhardt
Senior Staff Engineer and acting Director, Ubuntu Server
Canonical Ltd

More information about the libvir-list mailing list