[PATCH 1/2] apparmor: allow adding permanent per guest rules
Christian Ehrhardt
christian.ehrhardt at canonical.com
Thu Aug 13 10:58:32 UTC 2020
On Fri, Aug 7, 2020 at 6:14 PM Daniel P. Berrangé <berrange at redhat.com>
wrote:
> On Fri, Aug 07, 2020 at 12:21:19PM +0200, Christian Ehrhardt wrote:
> > The design of apparmor in libvirt always had a way to define custom
> > per-guest rules as described in docs/drvqemu.html and [1].
> >
> > A fix meant to clean the profiles after guest shutdown was a bit
> > overzealous and accidentially removed this important admin feature as
> > well.
> >
> > Therefore reduce the --delete option of virt-aa-helper to only delete
> > the .files that would be re-generated in any case.
> >
> > Users/Admins are always free to clean the profiles themselve if they
> > prefer a clean directory - they will be regenerated as needed. But
> > libvirt should never remove the base profile meant to allow per-guest
> > overrides and thereby break a documented feature.
> >
> > [1]: https://gitlab.com/apparmor/apparmor/-/wikis/Libvirt#advanced-usage
> >
> > Fixes: eba2225b "apparmor: delete profile on VM shutdown"
> >
> > Signed-off-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
> > ---
> > src/security/virt-aa-helper.c | 3 +--
> > 1 file changed, 1 insertion(+), 2 deletions(-)
>
> Reviewed-by: Daniel P. Berrangé <berrange at redhat.com>
>
(as with the other recent apparmor patch patch)
Thanks for the review - there was no negative feedback so far and in tests
this worked fine.
I'm committing the changes to not be postponed to close to the next release.
>
> Regards,
> Daniel
> --
> |: https://berrange.com -o-
> https://www.flickr.com/photos/dberrange :|
> |: https://libvirt.org -o-
> https://fstop138.berrange.com :|
> |: https://entangle-photo.org -o-
> https://www.instagram.com/dberrange :|
>
>
--
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20200813/0117ba5d/attachment-0001.htm>
More information about the libvir-list
mailing list