[PATCH 1/2] apparmor: allow adding permanent per guest rules

The design of apparmor in libvirt always had a way to define custom per-guest rules as described in docs/drvqemu.html and [1]. A fix meant to clean the profiles after guest shutdown was a bit overzealous and accidentially removed this important admin feature as well. Therefore reduce the --delete option of virt-aa-helper to only delete the .files that would be re-generated in any case. Users/Admins are always free to clean the profiles themselve if they prefer a clean directory - they will be regenerated as needed. But libvirt should never remove the base profile meant to allow per-guest overrides and thereby break a documented feature. [1]: https://gitlab.com/apparmor/apparmor/-/wikis/Libvirt#advanced-usage Fixes: eba2225b "apparmor: delete profile on VM shutdown" Signed-off-by: Christian Ehrhardt <christian.ehrhardt(a)canonical.com&gt; --- src/security/virt-aa-helper.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index dadb9d1614..4b66422b8f 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -99,7 +99,7 @@ vah_usage(void) " Modes:\n" " -a | --add load profile\n" " -c | --create create profile from template\n" - " -D | --delete unload and delete profile\n" + " -D | --delete unload profile and delete generated rules\n" " -r | --replace reload profile\n" " -R | --remove unload profile\n" " Options:\n" @@ -1491,7 +1491,6 @@ main(int argc, char **argv) rc = parserRemove(ctl->uuid); if (ctl->cmd == 'D') { unlink(include_file); - unlink(profile); } } else if (ctl->cmd == 'c' || ctl->cmd == 'r') { char *included_files = NULL; -- 2.27.0