[PATCH 0/3] apparmor: assume at least version 3
Daniel P. Berrangé (3): apparmor: assume at least apparmor >= 3 Revert "apparmor: Allow version-specific bits in profiles" meson: drop remaining checks for apparmor version meson.build | 3 -- src/security/apparmor/libvirt-lxc.in | 2 - src/security/apparmor/libvirt-qemu.in | 4 -- src/security/apparmor/meson.build | 45 +------------------ .../usr.lib.libvirt.virt-aa-helper.in | 5 --- src/security/apparmor/usr.sbin.libvirtd.in | 2 - src/security/apparmor/usr.sbin.virtqemud.in | 2 - src/security/apparmor/usr.sbin.virtxend.in | 2 - src/security/virt-aa-helper.c | 9 +--- 9 files changed, 3 insertions(+), 71 deletions(-) -- 2.48.1
From: Daniel P. Berrangé <berrange@redhat.com> By assuming version 3, we can drop all the conditional version substitutions from the profiles. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- src/security/apparmor/libvirt-lxc.in | 2 -- src/security/apparmor/libvirt-qemu.in | 4 ---- src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in | 5 ----- src/security/apparmor/usr.sbin.libvirtd.in | 2 -- src/security/apparmor/usr.sbin.virtqemud.in | 2 -- src/security/apparmor/usr.sbin.virtxend.in | 2 -- 6 files changed, 17 deletions(-) diff --git a/src/security/apparmor/libvirt-lxc.in b/src/security/apparmor/libvirt-lxc.in index ffe4d8f21f..11005e7c21 100644 --- a/src/security/apparmor/libvirt-lxc.in +++ b/src/security/apparmor/libvirt-lxc.in @@ -117,6 +117,4 @@ deny /sys/fs/cgroup?*{,/**} wklx, deny /sys/fs?*{,/**} wklx, -@BEGIN_APPARMOR_3@ include if exists <abstractions/libvirt-lxc.d> -@END_APPARMOR_3@ diff --git a/src/security/apparmor/libvirt-qemu.in b/src/security/apparmor/libvirt-qemu.in index c63077574e..e4aceacd70 100644 --- a/src/security/apparmor/libvirt-qemu.in +++ b/src/security/apparmor/libvirt-qemu.in @@ -190,7 +190,6 @@ /usr/{lib,lib64}/libswtpm_libtpms.so mr, /usr/lib/@{multiarch}/libswtpm_libtpms.so mr, -@BEGIN_APPARMOR_3@ # support for passt network back-end /usr/bin/passt Cx -> passt, @@ -206,7 +205,6 @@ include if exists <abstractions/passt> } -@END_APPARMOR_3@ # for save and resume /{usr/,}bin/dash rmix, @@ -281,6 +279,4 @@ owner /var/lib/libvirt/qemu/nvram/*_VARS.fd rwk, owner /var/lib/libvirt/qemu/nvram/*_VARS.ms.fd rwk, -@BEGIN_APPARMOR_3@ include if exists <abstractions/libvirt-qemu.d> -@END_APPARMOR_3@ diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in index 90a8b7072c..e209a8bff7 100644 --- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in +++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in @@ -74,10 +74,5 @@ profile virt-aa-helper @libexecdir@/virt-aa-helper { /**.[iI][sS][oO] r, /**/disk{,.*} r, -@BEGIN_APPARMOR_3@ include if exists <local/usr.lib.libvirt.virt-aa-helper> -@END_APPARMOR_3@ -@BEGIN_APPARMOR_2@ - #include <local/usr.lib.libvirt.virt-aa-helper> -@END_APPARMOR_2@ } diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in index 3659ddc219..6267e4f737 100644 --- a/src/security/apparmor/usr.sbin.libvirtd.in +++ b/src/security/apparmor/usr.sbin.libvirtd.in @@ -144,7 +144,5 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) { /usr/{lib,lib64,lib/qemu,libexec,libexec/qemu}/qemu-bridge-helper rmix, } -@BEGIN_APPARMOR_3@ include if exists <local/usr.sbin.libvirtd> -@END_APPARMOR_3@ } diff --git a/src/security/apparmor/usr.sbin.virtqemud.in b/src/security/apparmor/usr.sbin.virtqemud.in index 86b23465b6..522c098af6 100644 --- a/src/security/apparmor/usr.sbin.virtqemud.in +++ b/src/security/apparmor/usr.sbin.virtqemud.in @@ -136,7 +136,5 @@ profile virtqemud @sbindir@/virtqemud flags=(attach_disconnected) { /usr/{lib,lib64,lib/qemu,libexec,libexec/qemu}/qemu-bridge-helper rmix, } -@BEGIN_APPARMOR_3@ include if exists <local/usr.sbin.virtqemud> -@END_APPARMOR_3@ } diff --git a/src/security/apparmor/usr.sbin.virtxend.in b/src/security/apparmor/usr.sbin.virtxend.in index 77fedce352..324a000391 100644 --- a/src/security/apparmor/usr.sbin.virtxend.in +++ b/src/security/apparmor/usr.sbin.virtxend.in @@ -55,7 +55,5 @@ profile virtxend @sbindir@/virtxend flags=(attach_disconnected) { /etc/libvirt/hooks/** rmix, /etc/xen/scripts/** rmix, -@BEGIN_APPARMOR_3@ include if exists <local/usr.sbin.virtxend> -@END_APPARMOR_3@ } -- 2.48.1
From: Daniel P. Berrangé <berrange@redhat.com> This reverts commit 19eb8abc9a4d15190852d644b773a2348f11c9da. It is no longer required since the minimum version can be assumed >= 3 Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- src/security/apparmor/meson.build | 34 +------------------------------ 1 file changed, 1 insertion(+), 33 deletions(-) diff --git a/src/security/apparmor/meson.build b/src/security/apparmor/meson.build index b9257c816d..f1319541e4 100644 --- a/src/security/apparmor/meson.build +++ b/src/security/apparmor/meson.build @@ -19,41 +19,9 @@ apparmor_gen_profiles_conf = configuration_data({ apparmor_dir = sysconfdir / 'apparmor.d' -# Our profiles use some features that only work well on AppArmor 3.x, -# specifically the 'include if exists' directive. In order to keep -# supporting AppArmor 2.x, the bits that are version-specific are -# enclosed in special markers and we decide which ones to include -# based on the AppArmor version detected on the host. -# -# TODO: drop the additional complexity once we no longer target -# distros that ship AppArmor 2.x (Debian 11, Ubuntu 20.04) -if conf.has('WITH_APPARMOR_3') - apparmor_gen_cmd = [ - 'sed', - '-e', '/[@]BEGIN_APPARMOR_3[@]/d', - '-e', '/[@]END_APPARMOR_3[@]/d', - '-e', '/[@]BEGIN_APPARMOR_2[@]/,/[@]END_APPARMOR_2[@]/d', - '@INPUT@' - ] -else - apparmor_gen_cmd = [ - 'sed', - '-e', '/[@]BEGIN_APPARMOR_3[@]/,/[@]END_APPARMOR_3[@]/d', - '-e', '/[@]BEGIN_APPARMOR_2[@]/d', - '-e', '/[@]END_APPARMOR_2[@]/d', - '@INPUT@' - ] -endif - foreach name : apparmor_gen_profiles - tmp = configure_file( - input: '@0@.in'.format(name), - output: '@0@.tmp'.format(name), - command: apparmor_gen_cmd, - capture: true, - ) configure_file( - input: tmp, + input: '@0@.in'.format(name), output: name, configuration: apparmor_gen_profiles_conf, install: true, -- 2.48.1
From: Daniel P. Berrangé <berrange@redhat.com> We can now assume at least version three: * Debian 12: 3.0.8 * openSUSE Leap 15.5: 3.0.4 * openSUSE Leap 15.6: 3.1.7 * Ubuntu 22.04: 3.0.4 * Ubuntu 24.04: 4.0.0 Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- meson.build | 3 --- src/security/apparmor/meson.build | 11 ----------- src/security/virt-aa-helper.c | 9 ++------- 3 files changed, 2 insertions(+), 21 deletions(-) diff --git a/meson.build b/meson.build index 56823ca25b..9e23b3089f 100644 --- a/meson.build +++ b/meson.build @@ -929,9 +929,6 @@ endif apparmor_dep = dependency('libapparmor', required: get_option('apparmor')) if apparmor_dep.found() conf.set('WITH_APPARMOR', 1) - if apparmor_dep.version().version_compare('>=3.0.0') - conf.set('WITH_APPARMOR_3', 1) - endif conf.set_quoted('APPARMOR_DIR', sysconfdir / 'apparmor.d') conf.set_quoted('APPARMOR_PROFILES_PATH', '/sys/kernel/security/apparmor/profiles') endif diff --git a/src/security/apparmor/meson.build b/src/security/apparmor/meson.build index f1319541e4..c1bd10717b 100644 --- a/src/security/apparmor/meson.build +++ b/src/security/apparmor/meson.build @@ -44,14 +44,3 @@ install_data( [ 'TEMPLATE.qemu', 'TEMPLATE.lxc' ], install_dir: apparmor_dir / 'libvirt', ) - -if not conf.has('WITH_APPARMOR_3') - # We only install the empty local override for AppArmor 2.x. For - # AppArmor 3.x, upstream's preference is to avoid creating these - # files in order to limit the amount of filesystem clutter. - install_data( - 'usr.lib.libvirt.virt-aa-helper.local', - install_dir: apparmor_dir / 'local', - rename: 'usr.lib.libvirt.virt-aa-helper', - ) -endif diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index 034c042007..25bffdd30b 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -1560,13 +1560,8 @@ main(int argc, char **argv) /* create the profile from TEMPLATE */ if (ctl->cmd == 'c' || purged) { - g_autofree char *tmp = NULL; -#if defined(WITH_APPARMOR_3) - const char *ifexists = "if exists "; -#else - const char *ifexists = ""; -#endif - tmp = g_strdup_printf(" #include %s<libvirt/%s.files>\n", ifexists, ctl->uuid); + g_autofree char *tmp = g_strdup_printf( + " #include if exists %s<libvirt/%s.files>\n", ifexists, ctl->uuid); if (ctl->dryrun) { vah_info(profile); -- 2.48.1
On Mon, Mar 31, 2025 at 11:48:23AM +0100, Daniel P. Berrangé via Devel wrote:
From: Daniel P. Berrangé <berrange@redhat.com>
We can now assume at least version three:
* Debian 12: 3.0.8 * openSUSE Leap 15.5: 3.0.4 * openSUSE Leap 15.6: 3.1.7 * Ubuntu 22.04: 3.0.4 * Ubuntu 24.04: 4.0.0
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- meson.build | 3 --- src/security/apparmor/meson.build | 11 ----------- src/security/virt-aa-helper.c | 9 ++------- 3 files changed, 2 insertions(+), 21 deletions(-)
diff --git a/meson.build b/meson.build index 56823ca25b..9e23b3089f 100644 --- a/meson.build +++ b/meson.build @@ -929,9 +929,6 @@ endif apparmor_dep = dependency('libapparmor', required: get_option('apparmor'))
We should probably add a version check here to require >=3.0.0 like we do with other dependencies in case someone tries to compile new libvirt with old apparmor.
if apparmor_dep.found() conf.set('WITH_APPARMOR', 1) - if apparmor_dep.version().version_compare('>=3.0.0') - conf.set('WITH_APPARMOR_3', 1) - endif conf.set_quoted('APPARMOR_DIR', sysconfdir / 'apparmor.d') conf.set_quoted('APPARMOR_PROFILES_PATH', '/sys/kernel/security/apparmor/profiles') endif diff --git a/src/security/apparmor/meson.build b/src/security/apparmor/meson.build index f1319541e4..c1bd10717b 100644 --- a/src/security/apparmor/meson.build +++ b/src/security/apparmor/meson.build @@ -44,14 +44,3 @@ install_data( [ 'TEMPLATE.qemu', 'TEMPLATE.lxc' ], install_dir: apparmor_dir / 'libvirt', ) - -if not conf.has('WITH_APPARMOR_3') - # We only install the empty local override for AppArmor 2.x. For - # AppArmor 3.x, upstream's preference is to avoid creating these - # files in order to limit the amount of filesystem clutter. - install_data( - 'usr.lib.libvirt.virt-aa-helper.local', - install_dir: apparmor_dir / 'local', - rename: 'usr.lib.libvirt.virt-aa-helper', - ) -endif diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index 034c042007..25bffdd30b 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -1560,13 +1560,8 @@ main(int argc, char **argv)
/* create the profile from TEMPLATE */ if (ctl->cmd == 'c' || purged) { - g_autofree char *tmp = NULL; -#if defined(WITH_APPARMOR_3) - const char *ifexists = "if exists "; -#else - const char *ifexists = ""; -#endif - tmp = g_strdup_printf(" #include %s<libvirt/%s.files>\n", ifexists, ctl->uuid); + g_autofree char *tmp = g_strdup_printf( + " #include if exists %s<libvirt/%s.files>\n", ifexists, ctl->uuid);
if (ctl->dryrun) { vah_info(profile); -- 2.48.1
On Mon, Mar 31, 2025 at 11:48:20AM +0100, Daniel P. Berrangé via Devel wrote:
Daniel P. Berrangé (3): apparmor: assume at least apparmor >= 3 Revert "apparmor: Allow version-specific bits in profiles" meson: drop remaining checks for apparmor version
With the comment for patch 03 addressed. Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
On Mon, Mar 31, 2025 at 01:10:38PM +0200, Pavel Hrdina wrote:
On Mon, Mar 31, 2025 at 11:48:20AM +0100, Daniel P. Berrangé via Devel wrote:
Daniel P. Berrangé (3): apparmor: assume at least apparmor >= 3 Revert "apparmor: Allow version-specific bits in profiles" meson: drop remaining checks for apparmor version
With the comment for patch 03 addressed.
Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
Sorry, I hit the wrong command and sent this by mistake. I meant to push to gitlab for CI first, and this series doesn't actually build as is. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
participants (2)
-
Daniel P. Berrangé -
Pavel Hrdina