On Tue, 1 Apr 2025 at 14:22, Andrea Bolognani <abologna@redhat.com> wrote:
On Tue, Apr 01, 2025 at 10:55:28AM +0200, Alessandro wrote:
We attempted multiple ways to clean up dynamic files; however, we must preserve user overrides, which requires keeping the file /etc/apparmor.d/libvirt/libvirt-uuid
This commit proposes to move user overrides into /etc/apparmor.d/libvirt/libvirt-uuid.local and include it, if present, unconditionally. When we stop the domain, we remove libvirt.uuid and libvirt-uuid.files, whereas we preserve libvirt-uuid.local if present.
The way you describe things, it sounds like the AppArmor driver already expects local overrides to exist. Is that documented anywhere? If so, an update is probably needed. And either way, this file you're introducing and its purpose will have to be documented.
Thank you for your remark, Andrea. AFAICT, it's documented here https://gitlab.com/apparmor/apparmor/-/wikis/Libvirt#advanced-usage and in docs/drvqemu.rst. If my proposal is accepted, I'll update those pages accordingly with a separate patch, clearly stating that the behaviour has changed and the user overrides must be saved into the /etc/apparmor.d/libvirt/libvirt-uuid.local file. I don't know if I can modify the Gitlab wiki's sending a patch though :) Thank you, Best regards A.