[PATCH v2 0/5] apparmor: assume at least version 3
In v2: - Do upfront check for apparmor >= 3.0.0 - Add further revert commit Daniel P. Berrangé (5): meson: mandate apparmor >= 3.0.0 apparmor: assume at least apparmor >= 3 Revert "apparmor: Allow version-specific bits in abstractions too" Revert "apparmor: Allow version-specific bits in profiles" meson: drop remaining checks for apparmor version meson.build | 7 +- .../apparmor/{libvirt-lxc.in => libvirt-lxc} | 2 - .../{libvirt-qemu.in => libvirt-qemu} | 4 -- src/security/apparmor/meson.build | 64 ++----------------- .../usr.lib.libvirt.virt-aa-helper.in | 5 -- src/security/apparmor/usr.sbin.libvirtd.in | 2 - src/security/apparmor/usr.sbin.virtqemud.in | 2 - src/security/apparmor/usr.sbin.virtxend.in | 2 - src/security/virt-aa-helper.c | 9 +-- 9 files changed, 10 insertions(+), 87 deletions(-) rename src/security/apparmor/{libvirt-lxc.in => libvirt-lxc} (99%) rename src/security/apparmor/{libvirt-qemu.in => libvirt-qemu} (99%) -- 2.48.1
From: Daniel P. Berrangé <berrange@redhat.com> We can now assume at least version three: * Debian 12: 3.0.8 * openSUSE Leap 15.5: 3.0.4 * openSUSE Leap 15.6: 3.1.7 * Ubuntu 22.04: 3.0.4 * Ubuntu 24.04: 4.0.0 Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- meson.build | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/meson.build b/meson.build index 56823ca25b..d148d3de0b 100644 --- a/meson.build +++ b/meson.build @@ -926,12 +926,12 @@ if acl_dep.found() conf.set('WITH_LIBACL', 1) endif -apparmor_dep = dependency('libapparmor', required: get_option('apparmor')) +apparmor_version = '3.0.0' +apparmor_dep = dependency('libapparmor', version: '>=' + apparmor_version, + required: get_option('apparmor')) if apparmor_dep.found() conf.set('WITH_APPARMOR', 1) - if apparmor_dep.version().version_compare('>=3.0.0') - conf.set('WITH_APPARMOR_3', 1) - endif + conf.set('WITH_APPARMOR_3', 1) conf.set_quoted('APPARMOR_DIR', sysconfdir / 'apparmor.d') conf.set_quoted('APPARMOR_PROFILES_PATH', '/sys/kernel/security/apparmor/profiles') endif -- 2.48.1
From: Daniel P. Berrangé <berrange@redhat.com> By assuming version 3, we can drop all the conditional version substitutions from the profiles. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- src/security/apparmor/libvirt-lxc.in | 2 -- src/security/apparmor/libvirt-qemu.in | 4 ---- src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in | 5 ----- src/security/apparmor/usr.sbin.libvirtd.in | 2 -- src/security/apparmor/usr.sbin.virtqemud.in | 2 -- src/security/apparmor/usr.sbin.virtxend.in | 2 -- 6 files changed, 17 deletions(-) diff --git a/src/security/apparmor/libvirt-lxc.in b/src/security/apparmor/libvirt-lxc.in index ffe4d8f21f..11005e7c21 100644 --- a/src/security/apparmor/libvirt-lxc.in +++ b/src/security/apparmor/libvirt-lxc.in @@ -117,6 +117,4 @@ deny /sys/fs/cgroup?*{,/**} wklx, deny /sys/fs?*{,/**} wklx, -@BEGIN_APPARMOR_3@ include if exists <abstractions/libvirt-lxc.d> -@END_APPARMOR_3@ diff --git a/src/security/apparmor/libvirt-qemu.in b/src/security/apparmor/libvirt-qemu.in index c63077574e..e4aceacd70 100644 --- a/src/security/apparmor/libvirt-qemu.in +++ b/src/security/apparmor/libvirt-qemu.in @@ -190,7 +190,6 @@ /usr/{lib,lib64}/libswtpm_libtpms.so mr, /usr/lib/@{multiarch}/libswtpm_libtpms.so mr, -@BEGIN_APPARMOR_3@ # support for passt network back-end /usr/bin/passt Cx -> passt, @@ -206,7 +205,6 @@ include if exists <abstractions/passt> } -@END_APPARMOR_3@ # for save and resume /{usr/,}bin/dash rmix, @@ -281,6 +279,4 @@ owner /var/lib/libvirt/qemu/nvram/*_VARS.fd rwk, owner /var/lib/libvirt/qemu/nvram/*_VARS.ms.fd rwk, -@BEGIN_APPARMOR_3@ include if exists <abstractions/libvirt-qemu.d> -@END_APPARMOR_3@ diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in index 90a8b7072c..e209a8bff7 100644 --- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in +++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in @@ -74,10 +74,5 @@ profile virt-aa-helper @libexecdir@/virt-aa-helper { /**.[iI][sS][oO] r, /**/disk{,.*} r, -@BEGIN_APPARMOR_3@ include if exists <local/usr.lib.libvirt.virt-aa-helper> -@END_APPARMOR_3@ -@BEGIN_APPARMOR_2@ - #include <local/usr.lib.libvirt.virt-aa-helper> -@END_APPARMOR_2@ } diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in index 3659ddc219..6267e4f737 100644 --- a/src/security/apparmor/usr.sbin.libvirtd.in +++ b/src/security/apparmor/usr.sbin.libvirtd.in @@ -144,7 +144,5 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) { /usr/{lib,lib64,lib/qemu,libexec,libexec/qemu}/qemu-bridge-helper rmix, } -@BEGIN_APPARMOR_3@ include if exists <local/usr.sbin.libvirtd> -@END_APPARMOR_3@ } diff --git a/src/security/apparmor/usr.sbin.virtqemud.in b/src/security/apparmor/usr.sbin.virtqemud.in index 86b23465b6..522c098af6 100644 --- a/src/security/apparmor/usr.sbin.virtqemud.in +++ b/src/security/apparmor/usr.sbin.virtqemud.in @@ -136,7 +136,5 @@ profile virtqemud @sbindir@/virtqemud flags=(attach_disconnected) { /usr/{lib,lib64,lib/qemu,libexec,libexec/qemu}/qemu-bridge-helper rmix, } -@BEGIN_APPARMOR_3@ include if exists <local/usr.sbin.virtqemud> -@END_APPARMOR_3@ } diff --git a/src/security/apparmor/usr.sbin.virtxend.in b/src/security/apparmor/usr.sbin.virtxend.in index 77fedce352..324a000391 100644 --- a/src/security/apparmor/usr.sbin.virtxend.in +++ b/src/security/apparmor/usr.sbin.virtxend.in @@ -55,7 +55,5 @@ profile virtxend @sbindir@/virtxend flags=(attach_disconnected) { /etc/libvirt/hooks/** rmix, /etc/xen/scripts/** rmix, -@BEGIN_APPARMOR_3@ include if exists <local/usr.sbin.virtxend> -@END_APPARMOR_3@ } -- 2.48.1
From: Daniel P. Berrangé <berrange@redhat.com> This reverts commit 63a312fa2d3be0e34a8989deddd39792fc9badf6. There is no longer any need to dynamically generate version specific rules. This revert can be reverted, if the need ever arises again in the future. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- .../apparmor/{libvirt-lxc.in => libvirt-lxc} | 0 .../{libvirt-qemu.in => libvirt-qemu} | 0 src/security/apparmor/meson.build | 19 ++++--------------- 3 files changed, 4 insertions(+), 15 deletions(-) rename src/security/apparmor/{libvirt-lxc.in => libvirt-lxc} (100%) rename src/security/apparmor/{libvirt-qemu.in => libvirt-qemu} (100%) diff --git a/src/security/apparmor/libvirt-lxc.in b/src/security/apparmor/libvirt-lxc similarity index 100% rename from src/security/apparmor/libvirt-lxc.in rename to src/security/apparmor/libvirt-lxc diff --git a/src/security/apparmor/libvirt-qemu.in b/src/security/apparmor/libvirt-qemu similarity index 100% rename from src/security/apparmor/libvirt-qemu.in rename to src/security/apparmor/libvirt-qemu diff --git a/src/security/apparmor/meson.build b/src/security/apparmor/meson.build index b9257c816d..356951c7f1 100644 --- a/src/security/apparmor/meson.build +++ b/src/security/apparmor/meson.build @@ -5,11 +5,6 @@ apparmor_gen_profiles = [ 'usr.sbin.virtxend', ] -apparmor_gen_abstractions = [ - 'libvirt-qemu', - 'libvirt-lxc', -] - apparmor_gen_profiles_conf = configuration_data({ 'sysconfdir': sysconfdir, 'sbindir': sbindir, @@ -61,16 +56,10 @@ foreach name : apparmor_gen_profiles ) endforeach -foreach name : apparmor_gen_abstractions - configure_file( - input: '@0@.in'.format(name), - output: name, - command: apparmor_gen_cmd, - capture: true, - install: true, - install_dir: apparmor_dir / 'abstractions', - ) -endforeach +install_data( + [ 'libvirt-qemu', 'libvirt-lxc' ], + install_dir: apparmor_dir / 'abstractions', +) install_data( [ 'TEMPLATE.qemu', 'TEMPLATE.lxc' ], -- 2.48.1
From: Daniel P. Berrangé <berrange@redhat.com> This reverts commit 19eb8abc9a4d15190852d644b773a2348f11c9da. There is no longer any need to dynamically generate version specific rules. This revert can be reverted, if the need ever arises again in the future. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- src/security/apparmor/meson.build | 34 +------------------------------ 1 file changed, 1 insertion(+), 33 deletions(-) diff --git a/src/security/apparmor/meson.build b/src/security/apparmor/meson.build index 356951c7f1..18968677df 100644 --- a/src/security/apparmor/meson.build +++ b/src/security/apparmor/meson.build @@ -14,41 +14,9 @@ apparmor_gen_profiles_conf = configuration_data({ apparmor_dir = sysconfdir / 'apparmor.d' -# Our profiles use some features that only work well on AppArmor 3.x, -# specifically the 'include if exists' directive. In order to keep -# supporting AppArmor 2.x, the bits that are version-specific are -# enclosed in special markers and we decide which ones to include -# based on the AppArmor version detected on the host. -# -# TODO: drop the additional complexity once we no longer target -# distros that ship AppArmor 2.x (Debian 11, Ubuntu 20.04) -if conf.has('WITH_APPARMOR_3') - apparmor_gen_cmd = [ - 'sed', - '-e', '/[@]BEGIN_APPARMOR_3[@]/d', - '-e', '/[@]END_APPARMOR_3[@]/d', - '-e', '/[@]BEGIN_APPARMOR_2[@]/,/[@]END_APPARMOR_2[@]/d', - '@INPUT@' - ] -else - apparmor_gen_cmd = [ - 'sed', - '-e', '/[@]BEGIN_APPARMOR_3[@]/,/[@]END_APPARMOR_3[@]/d', - '-e', '/[@]BEGIN_APPARMOR_2[@]/d', - '-e', '/[@]END_APPARMOR_2[@]/d', - '@INPUT@' - ] -endif - foreach name : apparmor_gen_profiles - tmp = configure_file( - input: '@0@.in'.format(name), - output: '@0@.tmp'.format(name), - command: apparmor_gen_cmd, - capture: true, - ) configure_file( - input: tmp, + input: '@0@.in'.format(name), output: name, configuration: apparmor_gen_profiles_conf, install: true, -- 2.48.1
From: Daniel P. Berrangé <berrange@redhat.com> Now that we mandate version 3, any remaining conditional checks in meson/source code can be removed. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- meson.build | 1 - src/security/apparmor/meson.build | 11 ----------- src/security/virt-aa-helper.c | 9 ++------- 3 files changed, 2 insertions(+), 19 deletions(-) diff --git a/meson.build b/meson.build index d148d3de0b..c267d52672 100644 --- a/meson.build +++ b/meson.build @@ -931,7 +931,6 @@ apparmor_dep = dependency('libapparmor', version: '>=' + apparmor_version, required: get_option('apparmor')) if apparmor_dep.found() conf.set('WITH_APPARMOR', 1) - conf.set('WITH_APPARMOR_3', 1) conf.set_quoted('APPARMOR_DIR', sysconfdir / 'apparmor.d') conf.set_quoted('APPARMOR_PROFILES_PATH', '/sys/kernel/security/apparmor/profiles') endif diff --git a/src/security/apparmor/meson.build b/src/security/apparmor/meson.build index 18968677df..09d9fac02c 100644 --- a/src/security/apparmor/meson.build +++ b/src/security/apparmor/meson.build @@ -33,14 +33,3 @@ install_data( [ 'TEMPLATE.qemu', 'TEMPLATE.lxc' ], install_dir: apparmor_dir / 'libvirt', ) - -if not conf.has('WITH_APPARMOR_3') - # We only install the empty local override for AppArmor 2.x. For - # AppArmor 3.x, upstream's preference is to avoid creating these - # files in order to limit the amount of filesystem clutter. - install_data( - 'usr.lib.libvirt.virt-aa-helper.local', - install_dir: apparmor_dir / 'local', - rename: 'usr.lib.libvirt.virt-aa-helper', - ) -endif diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index 034c042007..e3802c18be 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -1560,13 +1560,8 @@ main(int argc, char **argv) /* create the profile from TEMPLATE */ if (ctl->cmd == 'c' || purged) { - g_autofree char *tmp = NULL; -#if defined(WITH_APPARMOR_3) - const char *ifexists = "if exists "; -#else - const char *ifexists = ""; -#endif - tmp = g_strdup_printf(" #include %s<libvirt/%s.files>\n", ifexists, ctl->uuid); + g_autofree char *tmp = g_strdup_printf( + " #include if exists <libvirt/%s.files>\n", ctl->uuid); if (ctl->dryrun) { vah_info(profile); -- 2.48.1
On Mon, Mar 31, 2025 at 01:37:26PM +0100, Daniel P. Berrangé via Devel wrote:
In v2:
- Do upfront check for apparmor >= 3.0.0 - Add further revert commit
Daniel P. Berrangé (5): meson: mandate apparmor >= 3.0.0 apparmor: assume at least apparmor >= 3 Revert "apparmor: Allow version-specific bits in abstractions too" Revert "apparmor: Allow version-specific bits in profiles" meson: drop remaining checks for apparmor version
Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
participants (2)
-
Daniel P. Berrangé -
Pavel Hrdina