On 6/7/23 00:06, Jim Fehlig wrote:
Apparmor profiles in /etc/apparmor.d/ are config files that can and should be replaced on package upgrade, which introduces the potential to overwrite any local changes. Apparmor supports local profile customizations via /etc/apparmor.d/local/<service> [1].
This change makes the support explicit by adding libvirtd, virtqemud, and virtxend profile customization stubs to /etc/apparmor.d/local/. The stubs are conditionally included by the corresponding main profiles.
[1] https://ubuntu.com/server/docs/security-apparmor See "Profile customization" section
Signed-off-by: Jim Fehlig <jfehlig@suse.com> ---
This patch was inspired by an internal bug report. The SUSE libvirt package has marked /etc/apparmor.d/<some-libvirt-service> profiles as 'config(noreplace)' for as long as I can remember. On rare occasions a profile receives a change that is required to avoid regression. And on rarer occasions a user might have made local customizations to the profile. With 'noreplace', the trap is set for the user to experience the regression.
Unless other apparmor users convince me otherwise, I'm planning to make this change in the SUSE package, along with changing the main /etc/apparmor.d/ profiles to 'config' and using 'config(noreplace)' for the local customizations only.
Note: I'm fine keeping this as a downstream-only patch if upstream isn't interested in the clutter.
src/security/apparmor/meson.build | 12 +++++++----- src/security/apparmor/usr.sbin.libvirtd.in | 3 +++ src/security/apparmor/usr.sbin.libvirtd.local | 1 + src/security/apparmor/usr.sbin.virtqemud.in | 3 +++ src/security/apparmor/usr.sbin.virtqemud.local | 1 + src/security/apparmor/usr.sbin.virtxend.in | 3 +++ src/security/apparmor/usr.sbin.virtxend.local | 1 + 7 files changed, 19 insertions(+), 5 deletions(-)
Reviewed-by: Michal Privoznik <mprivozn@redhat.com> Michal