[PATCH 1/2] apparmor: allow adding permanent per guest rules
Daniel P. Berrangé
berrange at redhat.com
Fri Aug 7 16:13:39 UTC 2020
On Fri, Aug 07, 2020 at 12:21:19PM +0200, Christian Ehrhardt wrote:
> The design of apparmor in libvirt always had a way to define custom
> per-guest rules as described in docs/drvqemu.html and [1].
>
> A fix meant to clean the profiles after guest shutdown was a bit
> overzealous and accidentially removed this important admin feature as
> well.
>
> Therefore reduce the --delete option of virt-aa-helper to only delete
> the .files that would be re-generated in any case.
>
> Users/Admins are always free to clean the profiles themselve if they
> prefer a clean directory - they will be regenerated as needed. But
> libvirt should never remove the base profile meant to allow per-guest
> overrides and thereby break a documented feature.
>
> [1]: https://gitlab.com/apparmor/apparmor/-/wikis/Libvirt#advanced-usage
>
> Fixes: eba2225b "apparmor: delete profile on VM shutdown"
>
> Signed-off-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
> ---
> src/security/virt-aa-helper.c | 3 +--
> 1 file changed, 1 insertion(+), 2 deletions(-)
Reviewed-by: Daniel P. Berrangé <berrange at redhat.com>
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
More information about the libvir-list
mailing list