[PATCH V2 0/3] apparmor: Add support for local profile customizations

Jim Fehlig jfehlig at suse.com
Wed Jun 28 23:15:26 UTC 2023 

This is a stab at a V2 of

https://listman.redhat.com/archives/libvir-list/2023-June/240219.html

That patch was ACKed and committed, but reverted before the 9.5.0 release
since it could be problematic with older apparmor 2.x versions still
supported by libvirt.

Andrea suggested copies of the profiles for apparmor 2.x and 3.x. This
series takes that approach, with patch 1 making an identical copy of the
src/security/apparmor directory. Patches 2 and 3 then adjust the profiles
accordingly.

My approach to copying the existing directory does introduce some duplicate
files in the tree, but otherwise it's minimally disruptive and will be easy
to rip out when upstream libvirt no longer needs to support apparmor 2.x.

FYI, so far I've only tested with apparmor 3.x, but I did push the changes
to my fork with CI enabled

https://gitlab.com/jfehlig/libvirt/-/pipelines/915347878

Thanks for comments/suggestions!

Jim Fehlig (3):
  apparmor: Create version specific apparmor profiles
  apparmor: Remove support for passt from apparmor 2.x
  apparmor: Add support for local profile customizations

 meson.build                                   |   6 +-
 src/security/apparmor-2/TEMPLATE.lxc          |  15 +
 src/security/apparmor-2/TEMPLATE.qemu         |   9 +
 src/security/apparmor-2/libvirt-lxc           | 118 ++++++++
 src/security/apparmor-2/libvirt-qemu          | 256 ++++++++++++++++++
 src/security/apparmor-2/meson.build           |  41 +++
 .../usr.lib.libvirt.virt-aa-helper.in         |  75 +++++
 .../usr.lib.libvirt.virt-aa-helper.local      |   1 +
 src/security/apparmor-2/usr.sbin.libvirtd.in  | 142 ++++++++++
 src/security/apparmor-2/usr.sbin.virtqemud.in | 135 +++++++++
 src/security/apparmor-2/usr.sbin.virtxend.in  |  55 ++++
 src/security/apparmor/libvirt-lxc             |   3 +
 src/security/apparmor/libvirt-qemu            |   3 +
 src/security/apparmor/usr.sbin.libvirtd.in    |   5 +-
 src/security/apparmor/usr.sbin.virtqemud.in   |   3 +
 src/security/apparmor/usr.sbin.virtxend.in    |   3 +
 src/security/meson.build                      |   3 +
 17 files changed, 871 insertions(+), 2 deletions(-)
 create mode 100644 src/security/apparmor-2/TEMPLATE.lxc
 create mode 100644 src/security/apparmor-2/TEMPLATE.qemu
 create mode 100644 src/security/apparmor-2/libvirt-lxc
 create mode 100644 src/security/apparmor-2/libvirt-qemu
 create mode 100644 src/security/apparmor-2/meson.build
 create mode 100644 src/security/apparmor-2/usr.lib.libvirt.virt-aa-helper.in
 create mode 100644 src/security/apparmor-2/usr.lib.libvirt.virt-aa-helper.local
 create mode 100644 src/security/apparmor-2/usr.sbin.libvirtd.in
 create mode 100644 src/security/apparmor-2/usr.sbin.virtqemud.in
 create mode 100644 src/security/apparmor-2/usr.sbin.virtxend.in

-- 
2.41.0

More information about the libvir-list mailing list