Re: [PATCH V2 1/4] Apparmor: Add profile for virtqemud

On 6/23/21 11:43 PM, Christian Ehrhardt wrote: > On Wed, Jun 23, 2021 at 1:27 AM Jim Fehlig <jfehlig(a)suse.com&gt; wrote: > > > > A new apparmor profile derived from the libvirtd profile, with non-QEMU > > related rules removed. Adopt the libvirt-qemu abstraction to work with > > the new profile. > > > > Signed-off-by: Jim Fehlig <jfehlig(a)suse.com&gt; > > Thanks for your work on this, but since in the split daemon mode > virtqemud will do the > majority of the tasks I wonder if along this change (or later) we > should consider > removing rules from the libvirtd profile. AFAIK (at least in theory), the modular and monolithic daemons are mutually exclusive. Either you run the desired modular daemon(s) or the monolithic libvirtd. So the libvirtd rules need to stay IMO. And IIRC, Daniel has long-term plans to remove the monolithic daemon, at which point the libvirtd profile can be dropped too. > It should now have less tasks and therefore need less permissions. > Have you had the chance to take a look into that already? > > There is a bonus-problem though, as long as we provide the option to build > non-split daemons we would effectively need two profiles. > One for the monolithic libvirtd and a reduced one for the split kind. Agreed. We'll need both as long as we have the modular and monolithic daemons.