On Mon, Sep 16, 2024 at 04:13:03PM +0100, Daniel P. Berrangé wrote:
On Tue, Sep 17, 2024 at 12:12:05AM +0900, Andrea Bolognani wrote:
On Mon, Sep 16, 2024 at 04:04:40PM GMT, Daniel P. Berrangé wrote:
On Mon, Sep 16, 2024 at 04:55:55PM +0200, Andrea Bolognani wrote:
static virSecurityDriverStatus AppArmorSecurityManagerProbe(const char *virtDriver G_GNUC_UNUSED)
We're passing the virt driver name ("QEMU" or "LXC") in here and not using it.....
...rather than delete these, pick the right check to perform based on 'virtDriver' value.
eg approximately like this
g_autofree char *template_name = g_strdup(virtDriver); for (i = 0; template_name[i]; i++) template_name[i] = tolower(template_name[i]) template = g_strdup_printf("%s/TEMPLATE.%s", APPARMOR_DIR "/libvirt", template_name)
I can give it a shot, but it still seems pointless to check whether the files are available ahead of time when virt-aa-helper will do that at the time when they're actually going to be used. What do we gain by doing that?
Do we still get a clear error message back to the user if virt-aa-helper fails due to the missing files ?
A difference is that this Probe check will presumably report the error during daemon startup, while the virt-aa-helper check will delay the report until a VM is started. A failure to start the daemon is arguably more likely to be noticed & fixed at time of host deployment. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|