Overview

File 9b743ee1-apparmor-support-local-profile-customizations.patch of Package libvirt.29828

From dddb929e6b8029c3d3ee61ad336c36a09940b77c Mon Sep 17 00:00:00 2001
From: Jim Fehlig <jfehlig@suse.com>
Date: Tue, 6 Jun 2023 11:05:50 -0600
Subject: [PATCH 1/3] apparmor: Add support for local profile customizations

Apparmor profiles in /etc/apparmor.d/ are config files that can and should
be replaced on package upgrade, which introduces the potential to overwrite
any local changes. Apparmor supports local profile customizations via
/etc/apparmor.d/local/<service> [1].

This change makes the support explicit by adding libvirtd, virtqemud, and
virtxend profile customization stubs to /etc/apparmor.d/local/. The stubs
are conditionally included by the corresponding main profiles.

[1] https://ubuntu.com/server/docs/security-apparmor
See "Profile customization" section

Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
(cherry picked from commit 9b743ee19053db2fc3da8fba1e9cf81915c1e2f4)

Note: Original commit 9b743ee1 was reverted prior to release of libvirt
9.5.0 due to no support for apparmor 2.x. The solution eventually
committed upstream is very similar when used on a system with apparmor
3.x. One exception is /etc/apparmor.d/local/* files are not distributed.
Adjust this patch to also not distribute the emply local files.
---
 src/security/apparmor/meson.build                       | 6 ------
 src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in | 2 +-
 src/security/apparmor/usr.sbin.libvirtd.in              | 3 +++
 src/security/apparmor/usr.sbin.virtqemud.in             | 3 +++
 src/security/apparmor/usr.sbin.virtxend.in              | 3 +++
 5 files changed, 10 insertions(+), 7 deletions(-)

Index: libvirt-9.0.0/src/security/apparmor/meson.build
===================================================================
--- libvirt-9.0.0.orig/src/security/apparmor/meson.build
+++ libvirt-9.0.0/src/security/apparmor/meson.build
@@ -33,9 +33,3 @@ install_data(
   [ 'TEMPLATE.qemu', 'TEMPLATE.lxc' ],
   install_dir: apparmor_dir / 'libvirt',
 )
-
-install_data(
-  'usr.lib.libvirt.virt-aa-helper.local',
-  install_dir: apparmor_dir / 'local',
-  rename: 'usr.lib.libvirt.virt-aa-helper',
-)
Index: libvirt-9.0.0/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
===================================================================
--- libvirt-9.0.0.orig/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
+++ libvirt-9.0.0/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
@@ -71,5 +71,5 @@ profile virt-aa-helper @libexecdir@/virt
   /**.[iI][sS][oO] r,
   /**/disk{,.*} r,
 
-  #include <local/usr.lib.libvirt.virt-aa-helper>
+  include if exists <local/usr.lib.libvirt.virt-aa-helper>
 }
Index: libvirt-9.0.0/src/security/apparmor/usr.sbin.libvirtd.in
===================================================================
--- libvirt-9.0.0.orig/src/security/apparmor/usr.sbin.libvirtd.in
+++ libvirt-9.0.0/src/security/apparmor/usr.sbin.libvirtd.in
@@ -139,4 +139,7 @@ profile libvirtd @sbindir@/libvirtd flag
 
    /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix,
   }
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/usr.sbin.libvirtd>
 }
Index: libvirt-9.0.0/src/security/apparmor/usr.sbin.virtqemud.in
===================================================================
--- libvirt-9.0.0.orig/src/security/apparmor/usr.sbin.virtqemud.in
+++ libvirt-9.0.0/src/security/apparmor/usr.sbin.virtqemud.in
@@ -132,4 +132,7 @@ profile virtqemud @sbindir@/virtqemud fl
 
    /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix,
   }
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/usr.sbin.virtqemud>
 }
Index: libvirt-9.0.0/src/security/apparmor/usr.sbin.virtxend.in
===================================================================
--- libvirt-9.0.0.orig/src/security/apparmor/usr.sbin.virtxend.in
+++ libvirt-9.0.0/src/security/apparmor/usr.sbin.virtxend.in
@@ -52,4 +52,7 @@ profile virtxend @sbindir@/virtxend flag
   @libexecdir@/libvirt_iohelper ix,
   /etc/libvirt/hooks/** rmix,
   /etc/xen/scripts/** rmix,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/usr.sbin.virtxend>
 }
openSUSE Build Service is sponsored by
Places