On 6/25/21 5:19 AM, Christian Boltz wrote:
Hello,
[please CC me in replies]
Your updated patches still look good, I just noticed something that is probably minor nitpicking:
Am Donnerstag, 24. Juni 2021, 22:48:58 CEST schrieb Jim Fehlig: [...]
+ signal (send) set=("kill", "term") peer=unconfined, [...] + signal (send) set=("term") peer=libvirtd//qemu_bridge_helper,
The quotes around the signal names are superfluous. You can simply use set=(kill, term) set=(term)
Actually the parenthesis are optional if there's only a single signal mentioned, so you could also use set=term (keeping the parenthesis for consistency with other rules is also fine)
There are several signal rules with superfluous quotes in this patch, and also one in the 2/2 patch.
(There's no need to re-send the patch for such a minor change IMHO.)
Thanks. I've squashed the below diff into my local branch (along with a similar change to the one instance in 2/2). Regards, Jim diff --git a/src/security/apparmor/usr.sbin.virtqemud.in b/src/security/apparmor/usr.sbin.virtqemud.in index 2d16ea821d..3de03d49fc 100644 --- a/src/security/apparmor/usr.sbin.virtqemud.in +++ b/src/security/apparmor/usr.sbin.virtqemud.in @@ -62,11 +62,11 @@ profile virtqemud @sbindir@/virtqemud flags=(attach_disconnected) { signal (send) peer=dnsmasq, signal (send) peer=/usr/sbin/dnsmasq, signal (read, send) peer=libvirt-*, - signal (send) set=("kill", "term") peer=unconfined, + signal (send) set=(kill, term) peer=unconfined, # For communication/control to qemu-bridge-helper unix (send, receive) type=stream addr=none peer=(label=libvirtd//qemu_bridge_helper), - signal (send) set=("term") peer=libvirtd//qemu_bridge_helper, + signal (send) set=(term) peer=libvirtd//qemu_bridge_helper, # allow connect with openGraphicsFD, direction reversed in newer versions unix (send, receive) type=stream addr=none peer=(label=libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*), @@ -123,7 +123,7 @@ profile virtqemud @sbindir@/virtqemud flags=(attach_disconnected) { # For communication/control from virtqemud unix (send, receive) type=stream addr=none peer=(label=virtqemud), - signal (receive) set=("term") peer=virtqemud, + signal (receive) set=(term) peer=virtqemud, /dev/net/tun rw, /etc/qemu/** r,