<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Aug 7, 2020 at 6:14 PM Daniel P. Berrangé <<a href="mailto:berrange@redhat.com" target="_blank">berrange@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Fri, Aug 07, 2020 at 12:21:19PM +0200, Christian Ehrhardt wrote:<br>
> The design of apparmor in libvirt always had a way to define custom<br>
> per-guest rules as described in docs/drvqemu.html and [1].<br>
> <br>
> A fix meant to clean the profiles after guest shutdown was a bit<br>
> overzealous and accidentially removed this important admin feature as<br>
> well.<br>
> <br>
> Therefore reduce the --delete option of virt-aa-helper to only delete<br>
> the .files that would be re-generated in any case.<br>
> <br>
> Users/Admins are always free to clean the profiles themselve if they<br>
> prefer a clean directory - they will be regenerated as needed. But<br>
> libvirt should never remove the base profile meant to allow per-guest<br>
> overrides and thereby break a documented feature.<br>
> <br>
> [1]: <a href="https://gitlab.com/apparmor/apparmor/-/wikis/Libvirt#advanced-usage" rel="noreferrer" target="_blank">https://gitlab.com/apparmor/apparmor/-/wikis/Libvirt#advanced-usage</a><br>
> <br>
> Fixes: eba2225b "apparmor: delete profile on VM shutdown"<br>
> <br>
> Signed-off-by: Christian Ehrhardt <<a href="mailto:christian.ehrhardt@canonical.com" target="_blank">christian.ehrhardt@canonical.com</a>><br>
> ---<br>
>  src/security/virt-aa-helper.c | 3 +--<br>
>  1 file changed, 1 insertion(+), 2 deletions(-)<br>
<br>
Reviewed-by: Daniel P. Berrangé <<a href="mailto:berrange@redhat.com" target="_blank">berrange@redhat.com</a>><br></blockquote><div><br></div><div><div>(as with the other recent apparmor patch patch)</div><div>Thanks for the review - there was no negative feedback so far and in tests this worked fine.</div><div>I'm committing the changes to not be postponed to close to the next release.</div></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>
Regards,<br>
Daniel<br>
-- <br>
|: <a href="https://berrange.com" rel="noreferrer" target="_blank">https://berrange.com</a>      -o-    <a href="https://www.flickr.com/photos/dberrange" rel="noreferrer" target="_blank">https://www.flickr.com/photos/dberrange</a> :|<br>
|: <a href="https://libvirt.org" rel="noreferrer" target="_blank">https://libvirt.org</a>         -o-            <a href="https://fstop138.berrange.com" rel="noreferrer" target="_blank">https://fstop138.berrange.com</a> :|<br>
|: <a href="https://entangle-photo.org" rel="noreferrer" target="_blank">https://entangle-photo.org</a>    -o-    <a href="https://www.instagram.com/dberrange" rel="noreferrer" target="_blank">https://www.instagram.com/dberrange</a> :|<br>
<br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr">Christian Ehrhardt<br>Staff Engineer, Ubuntu Server<br>Canonical Ltd</div></div>