5:48 a.m.
Daniel P. Berrangé (3):
apparmor: assume at least apparmor >= 3
Revert "apparmor: Allow version-specific bits in profiles"
meson: drop remaining checks for apparmor version
meson.build | 3 --
src/security/apparmor/libvirt-lxc.in | 2 -
src/security/apparmor/libvirt-qemu.in | 4 --
src/security/apparmor/meson.build | 45 +------------------
.../usr.lib.libvirt.virt-aa-helper.in | 5 ---
src/security/apparmor/usr.sbin.libvirtd.in | 2 -
src/security/apparmor/usr.sbin.virtqemud.in | 2 -
src/security/apparmor/usr.sbin.virtxend.in | 2 -
src/security/virt-aa-helper.c | 9 +---
9 files changed, 3 insertions(+), 71 deletions(-)
--
2.48.1
5:48 a.m.
New subject: [PATCH 1/3] apparmor: assume at least apparmor >= 3
From: Daniel P. Berrangé <berrange(a)redhat.com>
By assuming version 3, we can drop all the conditional version
substitutions from the profiles.
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
src/security/apparmor/libvirt-lxc.in | 2 --
src/security/apparmor/libvirt-qemu.in | 4 ----
src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in | 5 -----
src/security/apparmor/usr.sbin.libvirtd.in | 2 --
src/security/apparmor/usr.sbin.virtqemud.in | 2 --
src/security/apparmor/usr.sbin.virtxend.in | 2 --
6 files changed, 17 deletions(-)
diff --git a/src/security/apparmor/libvirt-lxc.in b/src/security/apparmor/libvirt-lxc.in
index ffe4d8f21f..11005e7c21 100644
--- a/src/security/apparmor/libvirt-lxc.in
+++ b/src/security/apparmor/libvirt-lxc.in
@@ -117,6 +117,4 @@
deny /sys/fs/cgroup?*{,/**} wklx,
deny /sys/fs?*{,/**} wklx,
-@BEGIN_APPARMOR_3@
include if exists <abstractions/libvirt-lxc.d>
-@END_APPARMOR_3@
diff --git a/src/security/apparmor/libvirt-qemu.in
b/src/security/apparmor/libvirt-qemu.in
index c63077574e..e4aceacd70 100644
--- a/src/security/apparmor/libvirt-qemu.in
+++ b/src/security/apparmor/libvirt-qemu.in
@@ -190,7 +190,6 @@
/usr/{lib,lib64}/libswtpm_libtpms.so mr,
/usr/lib/(a){multiarch}/libswtpm_libtpms.so mr,
-@BEGIN_APPARMOR_3@
# support for passt network back-end
/usr/bin/passt Cx -> passt,
@@ -206,7 +205,6 @@
include if exists <abstractions/passt>
}
-@END_APPARMOR_3@
# for save and resume
/{usr/,}bin/dash rmix,
@@ -281,6 +279,4 @@
owner /var/lib/libvirt/qemu/nvram/*_VARS.fd rwk,
owner /var/lib/libvirt/qemu/nvram/*_VARS.ms.fd rwk,
-@BEGIN_APPARMOR_3@
include if exists <abstractions/libvirt-qemu.d>
-@END_APPARMOR_3@
diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
index 90a8b7072c..e209a8bff7 100644
--- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
+++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
@@ -74,10 +74,5 @@ profile virt-aa-helper @libexecdir@/virt-aa-helper {
/**.[iI][sS][oO] r,
/**/disk{,.*} r,
-@BEGIN_APPARMOR_3@
include if exists <local/usr.lib.libvirt.virt-aa-helper>
-@END_APPARMOR_3@
-@BEGIN_APPARMOR_2@
- #include <local/usr.lib.libvirt.virt-aa-helper>
-@END_APPARMOR_2@
}
diff --git a/src/security/apparmor/usr.sbin.libvirtd.in
b/src/security/apparmor/usr.sbin.libvirtd.in
index 3659ddc219..6267e4f737 100644
--- a/src/security/apparmor/usr.sbin.libvirtd.in
+++ b/src/security/apparmor/usr.sbin.libvirtd.in
@@ -144,7 +144,5 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
/usr/{lib,lib64,lib/qemu,libexec,libexec/qemu}/qemu-bridge-helper rmix,
}
-@BEGIN_APPARMOR_3@
include if exists <local/usr.sbin.libvirtd>
-@END_APPARMOR_3@
}
diff --git a/src/security/apparmor/usr.sbin.virtqemud.in
b/src/security/apparmor/usr.sbin.virtqemud.in
index 86b23465b6..522c098af6 100644
--- a/src/security/apparmor/usr.sbin.virtqemud.in
+++ b/src/security/apparmor/usr.sbin.virtqemud.in
@@ -136,7 +136,5 @@ profile virtqemud @sbindir@/virtqemud flags=(attach_disconnected) {
/usr/{lib,lib64,lib/qemu,libexec,libexec/qemu}/qemu-bridge-helper rmix,
}
-@BEGIN_APPARMOR_3@
include if exists <local/usr.sbin.virtqemud>
-@END_APPARMOR_3@
}
diff --git a/src/security/apparmor/usr.sbin.virtxend.in
b/src/security/apparmor/usr.sbin.virtxend.in
index 77fedce352..324a000391 100644
--- a/src/security/apparmor/usr.sbin.virtxend.in
+++ b/src/security/apparmor/usr.sbin.virtxend.in
@@ -55,7 +55,5 @@ profile virtxend @sbindir@/virtxend flags=(attach_disconnected) {
/etc/libvirt/hooks/** rmix,
/etc/xen/scripts/** rmix,
-@BEGIN_APPARMOR_3@
include if exists <local/usr.sbin.virtxend>
-@END_APPARMOR_3@
}
--
2.48.1
5:48 a.m.
New subject: [PATCH 2/3] Revert "apparmor: Allow version-specific bits in profiles"
From: Daniel P. Berrangé <berrange(a)redhat.com>
This reverts commit 19eb8abc9a4d15190852d644b773a2348f11c9da.
It is no longer required since the minimum version can be
assumed >= 3
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
src/security/apparmor/meson.build | 34 +------------------------------
1 file changed, 1 insertion(+), 33 deletions(-)
diff --git a/src/security/apparmor/meson.build b/src/security/apparmor/meson.build
index b9257c816d..f1319541e4 100644
--- a/src/security/apparmor/meson.build
+++ b/src/security/apparmor/meson.build
@@ -19,41 +19,9 @@ apparmor_gen_profiles_conf = configuration_data({
apparmor_dir = sysconfdir / 'apparmor.d'
-# Our profiles use some features that only work well on AppArmor 3.x,
-# specifically the 'include if exists' directive. In order to keep
-# supporting AppArmor 2.x, the bits that are version-specific are
-# enclosed in special markers and we decide which ones to include
-# based on the AppArmor version detected on the host.
-#
-# TODO: drop the additional complexity once we no longer target
-# distros that ship AppArmor 2.x (Debian 11, Ubuntu 20.04)
-if conf.has('WITH_APPARMOR_3')
- apparmor_gen_cmd = [
- 'sed',
- '-e', '/[@]BEGIN_APPARMOR_3[@]/d',
- '-e', '/[@]END_APPARMOR_3[@]/d',
- '-e', '/[@]BEGIN_APPARMOR_2[@]/,/[@]END_APPARMOR_2[@]/d',
- '@INPUT@'
- ]
-else
- apparmor_gen_cmd = [
- 'sed',
- '-e', '/[@]BEGIN_APPARMOR_3[@]/,/[@]END_APPARMOR_3[@]/d',
- '-e', '/[@]BEGIN_APPARMOR_2[@]/d',
- '-e', '/[@]END_APPARMOR_2[@]/d',
- '@INPUT@'
- ]
-endif
-
foreach name : apparmor_gen_profiles
- tmp = configure_file(
- input: '@0@.in'.format(name),
- output: '@0@.tmp'.format(name),
- command: apparmor_gen_cmd,
- capture: true,
- )
configure_file(
- input: tmp,
+ input: '@0@.in'.format(name),
output: name,
configuration: apparmor_gen_profiles_conf,
install: true,
--
2.48.1
5:48 a.m.
New subject: [PATCH 3/3] meson: drop remaining checks for apparmor version
From: Daniel P. Berrangé <berrange(a)redhat.com>
We can now assume at least version three:
* Debian 12: 3.0.8
* openSUSE Leap 15.5: 3.0.4
* openSUSE Leap 15.6: 3.1.7
* Ubuntu 22.04: 3.0.4
* Ubuntu 24.04: 4.0.0
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
meson.build | 3 ---
src/security/apparmor/meson.build | 11 -----------
src/security/virt-aa-helper.c | 9 ++-------
3 files changed, 2 insertions(+), 21 deletions(-)
diff --git a/meson.build b/meson.build
index 56823ca25b..9e23b3089f 100644
--- a/meson.build
+++ b/meson.build
@@ -929,9 +929,6 @@ endif
apparmor_dep = dependency('libapparmor', required:
get_option('apparmor'))
if apparmor_dep.found()
conf.set('WITH_APPARMOR', 1)
- if apparmor_dep.version().version_compare('>=3.0.0')
- conf.set('WITH_APPARMOR_3', 1)
- endif
conf.set_quoted('APPARMOR_DIR', sysconfdir / 'apparmor.d')
conf.set_quoted('APPARMOR_PROFILES_PATH',
'/sys/kernel/security/apparmor/profiles')
endif
diff --git a/src/security/apparmor/meson.build b/src/security/apparmor/meson.build
index f1319541e4..c1bd10717b 100644
--- a/src/security/apparmor/meson.build
+++ b/src/security/apparmor/meson.build
@@ -44,14 +44,3 @@ install_data(
[ 'TEMPLATE.qemu', 'TEMPLATE.lxc' ],
install_dir: apparmor_dir / 'libvirt',
)
-
-if not conf.has('WITH_APPARMOR_3')
- # We only install the empty local override for AppArmor 2.x. For
- # AppArmor 3.x, upstream's preference is to avoid creating these
- # files in order to limit the amount of filesystem clutter.
- install_data(
- 'usr.lib.libvirt.virt-aa-helper.local',
- install_dir: apparmor_dir / 'local',
- rename: 'usr.lib.libvirt.virt-aa-helper',
- )
-endif
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 034c042007..25bffdd30b 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -1560,13 +1560,8 @@ main(int argc, char **argv)
/* create the profile from TEMPLATE */
if (ctl->cmd == 'c' || purged) {
- g_autofree char *tmp = NULL;
-#if defined(WITH_APPARMOR_3)
- const char *ifexists = "if exists ";
-#else
- const char *ifexists = "";
-#endif
- tmp = g_strdup_printf(" #include %s<libvirt/%s.files>\n",
ifexists, ctl->uuid);
+ g_autofree char *tmp = g_strdup_printf(
+ " #include if exists %s<libvirt/%s.files>\n", ifexists,
ctl->uuid);
if (ctl->dryrun) {
vah_info(profile);
--
2.48.1
6:09 a.m.
New subject: [PATCH 3/3] meson: drop remaining checks for apparmor version
On Mon, Mar 31, 2025 at 11:48:23AM +0100, Daniel P. Berrangé via Devel wrote:
From: Daniel P. Berrangé <berrange(a)redhat.com>
We can now assume at least version three:
* Debian 12: 3.0.8
* openSUSE Leap 15.5: 3.0.4
* openSUSE Leap 15.6: 3.1.7
* Ubuntu 22.04: 3.0.4
* Ubuntu 24.04: 4.0.0
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
meson.build | 3 ---
src/security/apparmor/meson.build | 11 -----------
src/security/virt-aa-helper.c | 9 ++-------
3 files changed, 2 insertions(+), 21 deletions(-)
diff --git a/meson.build b/meson.build
index 56823ca25b..9e23b3089f 100644
--- a/meson.build
+++ b/meson.build
@@ -929,9 +929,6 @@ endif
apparmor_dep = dependency('libapparmor', required:
get_option('apparmor'))
We should probably add a version check here to require >=3.0.0 like we
do with other dependencies in case someone tries to compile new libvirt
with old apparmor.
if apparmor_dep.found()
conf.set('WITH_APPARMOR', 1)
- if apparmor_dep.version().version_compare('>=3.0.0')
- conf.set('WITH_APPARMOR_3', 1)
- endif
conf.set_quoted('APPARMOR_DIR', sysconfdir / 'apparmor.d')
conf.set_quoted('APPARMOR_PROFILES_PATH',
'/sys/kernel/security/apparmor/profiles')
endif
diff --git a/src/security/apparmor/meson.build b/src/security/apparmor/meson.build
index f1319541e4..c1bd10717b 100644
--- a/src/security/apparmor/meson.build
+++ b/src/security/apparmor/meson.build
@@ -44,14 +44,3 @@ install_data(
[ 'TEMPLATE.qemu', 'TEMPLATE.lxc' ],
install_dir: apparmor_dir / 'libvirt',
)
-
-if not conf.has('WITH_APPARMOR_3')
- # We only install the empty local override for AppArmor 2.x. For
- # AppArmor 3.x, upstream's preference is to avoid creating these
- # files in order to limit the amount of filesystem clutter.
- install_data(
- 'usr.lib.libvirt.virt-aa-helper.local',
- install_dir: apparmor_dir / 'local',
- rename: 'usr.lib.libvirt.virt-aa-helper',
- )
-endif
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 034c042007..25bffdd30b 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -1560,13 +1560,8 @@ main(int argc, char **argv)
/* create the profile from TEMPLATE */
if (ctl->cmd == 'c' || purged) {
- g_autofree char *tmp = NULL;
-#if defined(WITH_APPARMOR_3)
- const char *ifexists = "if exists ";
-#else
- const char *ifexists = "";
-#endif
- tmp = g_strdup_printf(" #include %s<libvirt/%s.files>\n",
ifexists, ctl->uuid);
+ g_autofree char *tmp = g_strdup_printf(
+ " #include if exists %s<libvirt/%s.files>\n", ifexists,
ctl->uuid);
if (ctl->dryrun) {
vah_info(profile);
--
2.48.1
6:10 a.m.
On Mon, Mar 31, 2025 at 11:48:20AM +0100, Daniel P. Berrangé via Devel wrote:
Daniel P. Berrangé (3):
apparmor: assume at least apparmor >= 3
Revert "apparmor: Allow version-specific bits in profiles"
meson: drop remaining checks for apparmor version
With the comment for patch 03 addressed.
Reviewed-by: Pavel Hrdina <phrdina(a)redhat.com>
6:21 a.m.
On Mon, Mar 31, 2025 at 01:10:38PM +0200, Pavel Hrdina wrote:
On Mon, Mar 31, 2025 at 11:48:20AM +0100, Daniel P. Berrangé via
Devel wrote:
>
>
> Daniel P. Berrangé (3):
> apparmor: assume at least apparmor >= 3
> Revert "apparmor: Allow version-specific bits in profiles"
> meson: drop remaining checks for apparmor version
With the comment for patch 03 addressed.
Reviewed-by: Pavel Hrdina <phrdina(a)redhat.com>
Sorry, I hit the wrong command and sent this by mistake. I meant to push
to gitlab for CI first, and this series doesn't actually build as is.
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
29
days inactive
29
days old
6 comments
2 participants
participants (2)
-
Daniel P. Berrangé -
Pavel Hrdina