From: Felix Geyer <fgeyer(a)debian.org>
Local overrides is a feature Debian/Ubuntu libvirt provided for a while.
This allows the user to have a non-conffile that he can use to extend the
package delivered rules with extra content matching his special case.
This change adds the include directives to the apparmor profiles
for virt-aa-helper and libvirtd.
Additionally extended the build environment to carry template local
profiles and install them into the correct places. Without that the
include directives would prevent the profile from loading.
Signed-off-by: Christian Ehrhardt <christian.ehrhardt(a)canonical.com>
Signed-off-by: Stefan Bader <stefan.bader(a)canonical.com>
Acked-by: Jamie Strandboge <jamie(a)canonical.com>
---
examples/Makefile.am | 14 ++++++++++++++
examples/apparmor/local-usr.lib.libvirt.virt-aa-helper | 2 ++
examples/apparmor/local-usr.sbin.libvirtd | 2 ++
examples/apparmor/usr.lib.libvirt.virt-aa-helper | 3 +++
examples/apparmor/usr.sbin.libvirtd | 3 +++
5 files changed, 24 insertions(+)
create mode 100644 examples/apparmor/local-usr.lib.libvirt.virt-aa-helper
create mode 100644 examples/apparmor/local-usr.sbin.libvirtd
diff --git a/examples/Makefile.am b/examples/Makefile.am
index 2956e14..16c7bf6 100644
--- a/examples/Makefile.am
+++ b/examples/Makefile.am
@@ -25,6 +25,8 @@ EXTRA_DIST = \
apparmor/libvirt-lxc \
apparmor/usr.lib.libvirt.virt-aa-helper \
apparmor/usr.sbin.libvirtd \
+ apparmor/local-usr.sbin.libvirtd \
+ apparmor/local-usr.lib.libvirt.virt-aa-helper \
lxcconvert/virt-lxc-convert \
polkit/libvirt-acl.rules \
$(wildcard $(srcdir)/systemtap/*.stp) \
@@ -74,6 +76,18 @@ apparmor_DATA = \
apparmor/usr.sbin.libvirtd \
$(NULL)
+localdir = $(apparmordir)/local
+local_DATA = \
+ apparmor/local-usr.sbin.libvirtd \
+ apparmor/local-usr.lib.libvirt.virt-aa-helper \
+ $(NULL)
+
+install-data-hook:
+ mv $(DESTDIR)$(localdir)/local-usr.sbin.libvirtd \
+ $(DESTDIR)$(localdir)/usr.sbin.libvirtd
+ mv $(DESTDIR)$(localdir)/local-usr.lib.libvirt.virt-aa-helper \
+ $(DESTDIR)$(localdir)/usr.lib.libvirt.virt-aa-helper
+
abstractionsdir = $(apparmordir)/abstractions
abstractions_DATA = \
apparmor/libvirt-qemu \
diff --git a/examples/apparmor/local-usr.lib.libvirt.virt-aa-helper
b/examples/apparmor/local-usr.lib.libvirt.virt-aa-helper
new file mode 100644
index 0000000..82c9c39
--- /dev/null
+++ b/examples/apparmor/local-usr.lib.libvirt.virt-aa-helper
@@ -0,0 +1,2 @@
+# Site-specific additions and overrides for usr.lib.libvirt.virt-aa-helper.
+# For more details, please see /etc/apparmor.d/local/README.
diff --git a/examples/apparmor/local-usr.sbin.libvirtd
b/examples/apparmor/local-usr.sbin.libvirtd
new file mode 100644
index 0000000..6e19f20
--- /dev/null
+++ b/examples/apparmor/local-usr.sbin.libvirtd
@@ -0,0 +1,2 @@
+# Site-specific additions and overrides for usr.sbin.libvirtd.
+# For more details, please see /etc/apparmor.d/local/README.
diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper
b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
index 012080c..93ba74e 100644
--- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper
+++ b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
@@ -56,4 +56,7 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
/**.vmdk r,
/**.[iI][sS][oO] r,
/**/disk{,.*} r,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.lib.libvirt.virt-aa-helper>
}
diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
index 353b039..c37d5ee 100644
--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
@@ -85,4 +85,7 @@
/usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix,
}
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.sbin.libvirtd>
}
--
2.7.4