8:34 p.m.
Change the 'include' in the AppArmor policy to use 'include if exists'
when including <uuid>.files. Note that 'if exists' is only available
after AppArmor 3.0, therefore a #ifdef check must be added.
When the <uuid>.files is not present, there are some failures in the
AppArmor tools like the following, since they expect the file to exist
when using 'include':
ERROR: Include file
/etc/apparmor.d/libvirt/libvirt-8534a409-a460-4fab-a2dd-0e1dce4ff273.files not found
Signed-off-by: Georgia Garcia <georgia.garcia(a)canonical.com>
---
src/security/virt-aa-helper.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 0374581f07..402cbd9602 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -1564,7 +1564,12 @@ main(int argc, char **argv)
/* create the profile from TEMPLATE */
if (ctl->cmd == 'c' || purged) {
char *tmp = NULL;
- tmp = g_strdup_printf(" #include <libvirt/%s.files>\n",
ctl->uuid);
+#if defined(WITH_APPARMOR_3)
+ const char *ifexists = "if exists ";
+#else
+ const char *ifexists = "";
+#endif
+ tmp = g_strdup_printf(" #include %s<libvirt/%s.files>\n",
ifexists, ctl->uuid);
if (ctl->dryrun) {
vah_info(profile);
--
2.34.1
4:03 p.m.
On 6/4/24 19:34, Georgia Garcia wrote:
Change the 'include' in the AppArmor policy to use
'include if exists'
when including <uuid>.files. Note that 'if exists' is only available
after AppArmor 3.0, therefore a #ifdef check must be added.
When the <uuid>.files is not present, there are some failures in the
AppArmor tools like the following, since they expect the file to exist
when using 'include':
ERROR: Include file
/etc/apparmor.d/libvirt/libvirt-8534a409-a460-4fab-a2dd-0e1dce4ff273.files not found
When can this ever happen? I thought libvirt creates this file for each
domain running.
Michal
5:29 p.m.
On Mon, 2024-06-10 at 15:03 +0200, Michal Prívozník wrote:
On 6/4/24 19:34, Georgia Garcia wrote:
> Change the 'include' in the AppArmor policy to use 'include if
exists'
> when including <uuid>.files. Note that 'if exists' is only available
> after AppArmor 3.0, therefore a #ifdef check must be added.
>
> When the <uuid>.files is not present, there are some failures in the
> AppArmor tools like the following, since they expect the file to exist
> when using 'include':
>
> ERROR: Include file
/etc/apparmor.d/libvirt/libvirt-8534a409-a460-4fab-a2dd-0e1dce4ff273.files not found
When can this ever happen? I thought libvirt creates this file for each
domain running.
The file does not exist when the domain is not running, so if you're
running an apparmor tool like aa-genprof, they scan all profiles under
/etc/apparmor.d/ and they expect a valid state for the policies - which
these don't have because they include a file that does not exist unless
the domain is running.
Michal
Thanks,
Georgia
10:49 a.m.
On 6/10/24 16:29, Georgia Garcia wrote:
On Mon, 2024-06-10 at 15:03 +0200, Michal Prívozník wrote:
> On 6/4/24 19:34, Georgia Garcia wrote:
>> Change the 'include' in the AppArmor policy to use 'include if
exists'
>> when including <uuid>.files. Note that 'if exists' is only
available
>> after AppArmor 3.0, therefore a #ifdef check must be added.
>>
>> When the <uuid>.files is not present, there are some failures in the
>> AppArmor tools like the following, since they expect the file to exist
>> when using 'include':
>>
>> ERROR: Include file
/etc/apparmor.d/libvirt/libvirt-8534a409-a460-4fab-a2dd-0e1dce4ff273.files not found
>
> When can this ever happen? I thought libvirt creates this file for each
> domain running.
The file does not exist when the domain is not running, so if you're
running an apparmor tool like aa-genprof, they scan all profiles under
/etc/apparmor.d/ and they expect a valid state for the policies - which
these don't have because they include a file that does not exist unless
the domain is running.
Fair enough.
Reviewed-by: Michal Privoznik <mprivozn(a)redhat.com>
and merged. Congratulations on your first libvirt contribution!
Michal
233
days inactive
240
days old
3 comments
2 participants
participants (2)
-
Georgia Garcia -
Michal Prívozník