On Thu, Jun 24, 2021 at 08:24:05AM -0600, Jim Fehlig wrote:
On 6/23/21 11:43 PM, Christian Ehrhardt wrote:
On Wed, Jun 23, 2021 at 1:27 AM Jim Fehlig <jfehlig@suse.com> wrote:
A new apparmor profile derived from the libvirtd profile, with non-QEMU related rules removed. Adopt the libvirt-qemu abstraction to work with the new profile.
Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Thanks for your work on this, but since in the split daemon mode virtqemud will do the majority of the tasks I wonder if along this change (or later) we should consider removing rules from the libvirtd profile.
AFAIK (at least in theory), the modular and monolithic daemons are mutually exclusive. Either you run the desired modular daemon(s) or the monolithic libvirtd. So the libvirtd rules need to stay IMO.
And IIRC, Daniel has long-term plans to remove the monolithic daemon, at which point the libvirtd profile can be dropped too.
It should now have less tasks and therefore need less permissions. Have you had the chance to take a look into that already?
There is a bonus-problem though, as long as we provide the option to build non-split daemons we would effectively need two profiles. One for the monolithic libvirtd and a reduced one for the split kind.
Agreed. We'll need both as long as we have the modular and monolithic daemons.
FWIW, I when making the Fedora feature proposal[1] I stated that we intend to keep the monolithic libvirtd upstream for /at least/ 1 year, starting from when a major Linux distro has a release that defaults to the modular daemons. So that's going to be at least late 2022 before we talk about deleting libvirtd. Regards, Daniel [1] https://fedoraproject.org/wiki/Changes/LibvirtModularDaemons -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|