On Tue, 1 Apr 2025 at 14:22, Andrea Bolognani <abologna(a)redhat.com> wrote:
On Tue, Apr 01, 2025 at 10:55:28AM +0200, Alessandro wrote:
> We attempted multiple ways to clean up dynamic files; however, we must
> preserve user overrides, which requires keeping the file
> /etc/apparmor.d/libvirt/libvirt-uuid
>
> This commit proposes to move user overrides into
> /etc/apparmor.d/libvirt/libvirt-uuid.local and include it, if present,
> unconditionally. When we stop the domain, we remove libvirt.uuid and
> libvirt-uuid.files, whereas we preserve libvirt-uuid.local if present.
The way you describe things, it sounds like the AppArmor driver
already expects local overrides to exist. Is that documented
anywhere? If so, an update is probably needed. And either way, this
file you're introducing and its purpose will have to be documented.
Thank you for your remark, Andrea.
AFAICT, it's documented here
https://gitlab.com/apparmor/apparmor/-/wikis/Libvirt#advanced-usage
and in docs/drvqemu.rst. If my proposal is accepted, I'll update those
pages accordingly with a separate patch, clearly stating that the
behaviour has changed and the user overrides must be saved into the
/etc/apparmor.d/libvirt/libvirt-uuid.local file.
I don't know if I can modify the Gitlab wiki's sending a patch though :)
Thank you,
Best regards
A.