Re: [PATCH V3 1/2] Apparmor: Add profile for virtqemud
On 6/25/21 5:19 AM, Christian Boltz wrote:
Hello,
[please CC me in replies]
Your updated patches still look good, I just noticed something that is
probably minor nitpicking:
Am Donnerstag, 24. Juni 2021, 22:48:58 CEST schrieb Jim Fehlig:
[...]
> + signal (send) set=("kill", "term") peer=unconfined,
[...]
> + signal (send) set=("term") peer=libvirtd//qemu_bridge_helper,
The quotes around the signal names are superfluous. You can simply use
set=(kill, term)
set=(term)
Actually the parenthesis are optional if there's only a single signal
mentioned, so you could also use
set=term
(keeping the parenthesis for consistency with other rules is also fine)
There are several signal rules with superfluous quotes in this patch,
and also one in the 2/2 patch.
(There's no need to re-send the patch for such a minor change IMHO.)
Thanks. I've squashed the below diff into my local branch (along with a similar
change to the one instance in 2/2).
Regards,
Jim
diff --git a/src/security/apparmor/usr.sbin.virtqemud.in
b/src/security/apparmor/usr.sbin.virtqemud.in
index 2d16ea821d..3de03d49fc 100644
--- a/src/security/apparmor/usr.sbin.virtqemud.in
+++ b/src/security/apparmor/usr.sbin.virtqemud.in
@@ -62,11 +62,11 @@ profile virtqemud @sbindir@/virtqemud
flags=(attach_disconnected) {
signal (send) peer=dnsmasq,
signal (send) peer=/usr/sbin/dnsmasq,
signal (read, send) peer=libvirt-*,
- signal (send) set=("kill", "term") peer=unconfined,
+ signal (send) set=(kill, term) peer=unconfined,
# For communication/control to qemu-bridge-helper
unix (send, receive) type=stream addr=none
peer=(label=libvirtd//qemu_bridge_helper),
- signal (send) set=("term") peer=libvirtd//qemu_bridge_helper,
+ signal (send) set=(term) peer=libvirtd//qemu_bridge_helper,
# allow connect with openGraphicsFD, direction reversed in newer versions
unix (send, receive) type=stream addr=none
peer=(label=libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*),
@@ -123,7 +123,7 @@ profile virtqemud @sbindir@/virtqemud
flags=(attach_disconnected) {
# For communication/control from virtqemud
unix (send, receive) type=stream addr=none peer=(label=virtqemud),
- signal (receive) set=("term") peer=virtqemud,
+ signal (receive) set=(term) peer=virtqemud,
/dev/net/tun rw,
/etc/qemu/** r,