[PATCH V2 3/3] apparmor: Add support for local profile customizations
Apparmor profiles in /etc/apparmor.d/ are config files that can be replaced
on package upgrade, which introduces the potential to overwrite any local
changes. Apparmor supports local profile customizations via
/etc/apparmor.d/local/<service> [1]. In addition, apparmor 3.x supports
local customizations of profile abstractions via an abstractions/<service>.d
drop directory.
In order to support local customizations, the main profiles and abstractions
must 'include if exists' the local changes. This directive is only stable on
apparmor 3.x, so support for local profile customizations is limited to
apparmor >= 3.0.0.
Signed-off-by: Jim Fehlig <jfehlig(a)suse.com>
---
src/security/apparmor/libvirt-lxc | 3 +++
src/security/apparmor/libvirt-qemu | 3 +++
src/security/apparmor/usr.sbin.libvirtd.in | 5 ++++-
src/security/apparmor/usr.sbin.virtqemud.in | 3 +++
src/security/apparmor/usr.sbin.virtxend.in | 3 +++
5 files changed, 16 insertions(+), 1 deletion(-)
diff --git a/src/security/apparmor/libvirt-lxc b/src/security/apparmor/libvirt-lxc
index 0c8b812743..734dd95c6e 100644
--- a/src/security/apparmor/libvirt-lxc
+++ b/src/security/apparmor/libvirt-lxc
@@ -116,3 +116,6 @@
deny /sys/fs/cgrou[^p]*{,/**} wklx,
deny /sys/fs/cgroup?*{,/**} wklx,
deny /sys/fs?*{,/**} wklx,
+
+ # Site-specific additions and overrides.
+ include if exists <abstractions/libvirt-lxc.d>
diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
index 44056b5f14..bed7c4ad76 100644
--- a/src/security/apparmor/libvirt-qemu
+++ b/src/security/apparmor/libvirt-qemu
@@ -269,3 +269,6 @@
# required for QEMU accessing UEFI nvram variables
owner /var/lib/libvirt/qemu/nvram/*_VARS.fd rwk,
owner /var/lib/libvirt/qemu/nvram/*_VARS.ms.fd rwk,
+
+ # Site-specific additions and overrides.
+ include if exists <abstractions/libvirt-qemu.d>
diff --git a/src/security/apparmor/usr.sbin.libvirtd.in
b/src/security/apparmor/usr.sbin.libvirtd.in
index edb8dd8e26..20041fcf67 100644
--- a/src/security/apparmor/usr.sbin.libvirtd.in
+++ b/src/security/apparmor/usr.sbin.libvirtd.in
@@ -139,4 +139,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
/usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix,
}
-}
+
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/usr.sbin.libvirtd>
+ }
diff --git a/src/security/apparmor/usr.sbin.virtqemud.in
b/src/security/apparmor/usr.sbin.virtqemud.in
index f269c60809..3ebdbf2a8f 100644
--- a/src/security/apparmor/usr.sbin.virtqemud.in
+++ b/src/security/apparmor/usr.sbin.virtqemud.in
@@ -132,4 +132,7 @@ profile virtqemud @sbindir@/virtqemud flags=(attach_disconnected) {
/usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix,
}
+
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/usr.sbin.virtqemud>
}
diff --git a/src/security/apparmor/usr.sbin.virtxend.in
b/src/security/apparmor/usr.sbin.virtxend.in
index 72e0d801e5..719766a0c1 100644
--- a/src/security/apparmor/usr.sbin.virtxend.in
+++ b/src/security/apparmor/usr.sbin.virtxend.in
@@ -52,4 +52,7 @@ profile virtxend @sbindir@/virtxend flags=(attach_disconnected) {
@libexecdir@/libvirt_iohelper ix,
/etc/libvirt/hooks/** rmix,
/etc/xen/scripts/** rmix,
+
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/usr.sbin.virtxend>
}
--
2.41.0