[libvirt] [PATCH 6/8] apparmor: include local apparmor profiles

Thu May 18 08:53:44 UTC 2017

From: Felix Geyer <fgeyer at debian.org>

Local overrides is a feature Debian/Ubuntu libvirt provided for a while.
This allows the user to have a non-conffile that he can use to extend the
package delivered rules with extra content matching his special case.

This change adds the include directives to the apparmor profiles
for virt-aa-helper and libvirtd.

Additionally extended the build environment to carry template local
profiles and install them into the correct places. Without that the
include directives would prevent the profile from loading.

Signed-off-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
Signed-off-by: Stefan Bader <stefan.bader at canonical.com>
Acked-by: Jamie Strandboge <jamie at canonical.com>
---
 examples/Makefile.am                                   | 14 ++++++++++++++
 examples/apparmor/local-usr.lib.libvirt.virt-aa-helper |  2 ++
 examples/apparmor/local-usr.sbin.libvirtd              |  2 ++
 examples/apparmor/usr.lib.libvirt.virt-aa-helper       |  3 +++
 examples/apparmor/usr.sbin.libvirtd                    |  3 +++
 5 files changed, 24 insertions(+)
 create mode 100644 examples/apparmor/local-usr.lib.libvirt.virt-aa-helper
 create mode 100644 examples/apparmor/local-usr.sbin.libvirtd

diff --git a/examples/Makefile.am b/examples/Makefile.am
index 2956e14..16c7bf6 100644
--- a/examples/Makefile.am
+++ b/examples/Makefile.am
@@ -25,6 +25,8 @@ EXTRA_DIST = \
 	apparmor/libvirt-lxc \
 	apparmor/usr.lib.libvirt.virt-aa-helper \
 	apparmor/usr.sbin.libvirtd \
+	apparmor/local-usr.sbin.libvirtd \
+	apparmor/local-usr.lib.libvirt.virt-aa-helper \
 	lxcconvert/virt-lxc-convert \
 	polkit/libvirt-acl.rules \
 	$(wildcard $(srcdir)/systemtap/*.stp) \
@@ -74,6 +76,18 @@ apparmor_DATA = \
 	apparmor/usr.sbin.libvirtd \
 	$(NULL)
 
+localdir = $(apparmordir)/local
+local_DATA = \
+	apparmor/local-usr.sbin.libvirtd \
+	apparmor/local-usr.lib.libvirt.virt-aa-helper \
+	$(NULL)
+
+install-data-hook:
+	mv $(DESTDIR)$(localdir)/local-usr.sbin.libvirtd \
+	   $(DESTDIR)$(localdir)/usr.sbin.libvirtd
+	mv $(DESTDIR)$(localdir)/local-usr.lib.libvirt.virt-aa-helper \
+	   $(DESTDIR)$(localdir)/usr.lib.libvirt.virt-aa-helper
+
 abstractionsdir = $(apparmordir)/abstractions
 abstractions_DATA = \
 	apparmor/libvirt-qemu \
diff --git a/examples/apparmor/local-usr.lib.libvirt.virt-aa-helper b/examples/apparmor/local-usr.lib.libvirt.virt-aa-helper
new file mode 100644
index 0000000..82c9c39
--- /dev/null
+++ b/examples/apparmor/local-usr.lib.libvirt.virt-aa-helper
@@ -0,0 +1,2 @@
+# Site-specific additions and overrides for usr.lib.libvirt.virt-aa-helper.
+# For more details, please see /etc/apparmor.d/local/README.
diff --git a/examples/apparmor/local-usr.sbin.libvirtd b/examples/apparmor/local-usr.sbin.libvirtd
new file mode 100644
index 0000000..6e19f20
--- /dev/null
+++ b/examples/apparmor/local-usr.sbin.libvirtd
@@ -0,0 +1,2 @@
+# Site-specific additions and overrides for usr.sbin.libvirtd.
+# For more details, please see /etc/apparmor.d/local/README.
diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
index 012080c..93ba74e 100644
--- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper
+++ b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
@@ -56,4 +56,7 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
   /**.vmdk r,
   /**.[iI][sS][oO] r,
   /**/disk{,.*} r,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.lib.libvirt.virt-aa-helper>
 }
diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
index 353b039..c37d5ee 100644
--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
@@ -85,4 +85,7 @@
 
    /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix,
   }
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.sbin.libvirtd>
 }
-- 
2.7.4


