[libvirt PATCH 6/8] apparmor: Improve virt-aa-helper include
Jim Fehlig
jfehlig at suse.com
Thu Jun 29 20:03:09 UTC 2023
On 6/29/23 07:14, Andrea Bolognani wrote:
> For AppArmor 3.x we can use 'include if exists', which frees us
> from having to create a dummy override. For AppArmor 2.x we keep
> things as they are to avoid introducing regressions.
>
> Signed-off-by: Andrea Bolognani <abologna at redhat.com>
> ---
> src/security/apparmor/meson.build | 15 ++++++++++-----
> .../apparmor/usr.lib.libvirt.virt-aa-helper.in | 5 +++++
> 2 files changed, 15 insertions(+), 5 deletions(-)
>
> diff --git a/src/security/apparmor/meson.build b/src/security/apparmor/meson.build
> index 8bc2405f88..b9257c816d 100644
> --- a/src/security/apparmor/meson.build
> +++ b/src/security/apparmor/meson.build
> @@ -77,8 +77,13 @@ install_data(
> install_dir: apparmor_dir / 'libvirt',
> )
>
> -install_data(
> - 'usr.lib.libvirt.virt-aa-helper.local',
> - install_dir: apparmor_dir / 'local',
> - rename: 'usr.lib.libvirt.virt-aa-helper',
> -)
> +if not conf.has('WITH_APPARMOR_3')
> + # We only install the empty local override for AppArmor 2.x. For
> + # AppArmor 3.x, upstream's preference is to avoid creating these
> + # files in order to limit the amount of filesystem clutter.
> + install_data(
> + 'usr.lib.libvirt.virt-aa-helper.local',
> + install_dir: apparmor_dir / 'local',
> + rename: 'usr.lib.libvirt.virt-aa-helper',
> + )
> +endif
> diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
> index ff1d46bebe..26ee20a17d 100644
> --- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
> +++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
> @@ -71,5 +71,10 @@ profile virt-aa-helper @libexecdir@/virt-aa-helper {
> /**.[iI][sS][oO] r,
> /**/disk{,.*} r,
>
> + at BEGIN_APPARMOR_3@
> + include if exists <local/usr.lib.libvirt.virt-aa-helper>
> + at END_APPARMOR_3@
> + at BEGIN_APPARMOR_2@
> #include <local/usr.lib.libvirt.virt-aa-helper>
> + at END_APPARMOR_2@
> }
The markers have the added benefit of reminding us to nuke this file when we
remove 2.x support.
Regards,
Jim
More information about the libvir-list
mailing list