Apparmor profiles in /etc/apparmor.d/ are config files that can and should
be replaced on package upgrade, which introduces the potential to overwrite
any local changes. Apparmor supports local profile customizations via
/etc/apparmor.d/local/<service> [1].
This change makes the support explicit by adding libvirtd, virtqemud, and
virtxend profile customization stubs to /etc/apparmor.d/local/. The stubs
are conditionally included by the corresponding main profiles.
[1]
https://ubuntu.com/server/docs/security-apparmor
See "Profile customization" section
Signed-off-by: Jim Fehlig <jfehlig(a)suse.com>
---
This patch was inspired by an internal bug report. The SUSE libvirt package
has marked /etc/apparmor.d/<some-libvirt-service> profiles as
'config(noreplace)' for as long as I can remember. On rare occasions a
profile receives a change that is required to avoid regression. And on rarer
occasions a user might have made local customizations to the profile. With
'noreplace', the trap is set for the user to experience the regression.
Unless other apparmor users convince me otherwise, I'm planning to make
this change in the SUSE package, along with changing the main
/etc/apparmor.d/ profiles to 'config' and using 'config(noreplace)' for
the
local customizations only.
Note: I'm fine keeping this as a downstream-only patch if upstream isn't
interested in the clutter.
src/security/apparmor/meson.build | 12 +++++++-----
src/security/apparmor/usr.sbin.libvirtd.in | 3 +++
src/security/apparmor/usr.sbin.libvirtd.local | 1 +
src/security/apparmor/usr.sbin.virtqemud.in | 3 +++
src/security/apparmor/usr.sbin.virtqemud.local | 1 +
src/security/apparmor/usr.sbin.virtxend.in | 3 +++
src/security/apparmor/usr.sbin.virtxend.local | 1 +
7 files changed, 19 insertions(+), 5 deletions(-)
diff --git a/src/security/apparmor/meson.build b/src/security/apparmor/meson.build
index 58b4024b85..02a6d098ad 100644
--- a/src/security/apparmor/meson.build
+++ b/src/security/apparmor/meson.build
@@ -34,8 +34,10 @@ install_data(
install_dir: apparmor_dir / 'libvirt',
)
-install_data(
- 'usr.lib.libvirt.virt-aa-helper.local',
- install_dir: apparmor_dir / 'local',
- rename: 'usr.lib.libvirt.virt-aa-helper',
-)
+foreach name : apparmor_gen_profiles
+ install_data(
+ '@0@.local'.format(name),
+ install_dir: apparmor_dir / 'local',
+ rename: name,
+ )
+endforeach
diff --git a/src/security/apparmor/usr.sbin.libvirtd.in
b/src/security/apparmor/usr.sbin.libvirtd.in
index edb8dd8e26..41bdef53ec 100644
--- a/src/security/apparmor/usr.sbin.libvirtd.in
+++ b/src/security/apparmor/usr.sbin.libvirtd.in
@@ -139,4 +139,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
/usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix,
}
+
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/usr.sbin.libvirtd>
}
diff --git a/src/security/apparmor/usr.sbin.libvirtd.local
b/src/security/apparmor/usr.sbin.libvirtd.local
new file mode 100644
index 0000000000..3716400022
--- /dev/null
+++ b/src/security/apparmor/usr.sbin.libvirtd.local
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.sbin.libvirtd'
diff --git a/src/security/apparmor/usr.sbin.virtqemud.in
b/src/security/apparmor/usr.sbin.virtqemud.in
index f269c60809..3ebdbf2a8f 100644
--- a/src/security/apparmor/usr.sbin.virtqemud.in
+++ b/src/security/apparmor/usr.sbin.virtqemud.in
@@ -132,4 +132,7 @@ profile virtqemud @sbindir@/virtqemud flags=(attach_disconnected) {
/usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix,
}
+
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/usr.sbin.virtqemud>
}
diff --git a/src/security/apparmor/usr.sbin.virtqemud.local
b/src/security/apparmor/usr.sbin.virtqemud.local
new file mode 100644
index 0000000000..2ac68bb069
--- /dev/null
+++ b/src/security/apparmor/usr.sbin.virtqemud.local
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.sbin.virtqemud'
diff --git a/src/security/apparmor/usr.sbin.virtxend.in
b/src/security/apparmor/usr.sbin.virtxend.in
index 72e0d801e5..719766a0c1 100644
--- a/src/security/apparmor/usr.sbin.virtxend.in
+++ b/src/security/apparmor/usr.sbin.virtxend.in
@@ -52,4 +52,7 @@ profile virtxend @sbindir@/virtxend flags=(attach_disconnected) {
@libexecdir@/libvirt_iohelper ix,
/etc/libvirt/hooks/** rmix,
/etc/xen/scripts/** rmix,
+
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/usr.sbin.virtxend>
}
diff --git a/src/security/apparmor/usr.sbin.virtxend.local
b/src/security/apparmor/usr.sbin.virtxend.local
new file mode 100644
index 0000000000..2ade86d4df
--- /dev/null
+++ b/src/security/apparmor/usr.sbin.virtxend.local
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.sbin.virtxend'
--
2.40.1