From 9b743ee19053db2fc3da8fba1e9cf81915c1e2f4 Mon Sep 17 00:00:00 2001 From: Jim Fehlig Date: Tue, 6 Jun 2023 11:05:50 -0600 Subject: [PATCH] apparmor: Add support for local profile customizations Apparmor profiles in /etc/apparmor.d/ are config files that can and should be replaced on package upgrade, which introduces the potential to overwrite any local changes. Apparmor supports local profile customizations via /etc/apparmor.d/local/ [1]. This change makes the support explicit by adding libvirtd, virtqemud, and virtxend profile customization stubs to /etc/apparmor.d/local/. The stubs are conditionally included by the corresponding main profiles. [1] https://ubuntu.com/server/docs/security-apparmor See "Profile customization" section Signed-off-by: Jim Fehlig Reviewed-by: Michal Privoznik --- src/security/apparmor/meson.build | 12 +++++++----- src/security/apparmor/usr.sbin.libvirtd.in | 3 +++ src/security/apparmor/usr.sbin.libvirtd.local | 1 + src/security/apparmor/usr.sbin.virtqemud.in | 3 +++ src/security/apparmor/usr.sbin.virtqemud.local | 1 + src/security/apparmor/usr.sbin.virtxend.in | 3 +++ src/security/apparmor/usr.sbin.virtxend.local | 1 + 7 files changed, 19 insertions(+), 5 deletions(-) create mode 100644 src/security/apparmor/usr.sbin.libvirtd.local create mode 100644 src/security/apparmor/usr.sbin.virtqemud.local create mode 100644 src/security/apparmor/usr.sbin.virtxend.local diff --git a/src/security/apparmor/meson.build b/src/security/apparmor/meson.build index 58b4024b85..02a6d098ad 100644 --- a/src/security/apparmor/meson.build +++ b/src/security/apparmor/meson.build @@ -34,8 +34,10 @@ install_data( install_dir: apparmor_dir / 'libvirt', ) -install_data( - 'usr.lib.libvirt.virt-aa-helper.local', - install_dir: apparmor_dir / 'local', - rename: 'usr.lib.libvirt.virt-aa-helper', -) +foreach name : apparmor_gen_profiles + install_data( + '@0@.local'.format(name), + install_dir: apparmor_dir / 'local', + rename: name, + ) +endforeach diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in index edb8dd8e26..41bdef53ec 100644 --- a/src/security/apparmor/usr.sbin.libvirtd.in +++ b/src/security/apparmor/usr.sbin.libvirtd.in @@ -139,4 +139,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) { /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix, } + + # Site-specific additions and overrides. See local/README for details. + include if exists } diff --git a/src/security/apparmor/usr.sbin.libvirtd.local b/src/security/apparmor/usr.sbin.libvirtd.local new file mode 100644 index 0000000000..3716400022 --- /dev/null +++ b/src/security/apparmor/usr.sbin.libvirtd.local @@ -0,0 +1 @@ +# Site-specific additions and overrides for 'usr.sbin.libvirtd' diff --git a/src/security/apparmor/usr.sbin.virtqemud.in b/src/security/apparmor/usr.sbin.virtqemud.in index f269c60809..3ebdbf2a8f 100644 --- a/src/security/apparmor/usr.sbin.virtqemud.in +++ b/src/security/apparmor/usr.sbin.virtqemud.in @@ -132,4 +132,7 @@ profile virtqemud @sbindir@/virtqemud flags=(attach_disconnected) { /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix, } + + # Site-specific additions and overrides. See local/README for details. + include if exists } diff --git a/src/security/apparmor/usr.sbin.virtqemud.local b/src/security/apparmor/usr.sbin.virtqemud.local new file mode 100644 index 0000000000..2ac68bb069 --- /dev/null +++ b/src/security/apparmor/usr.sbin.virtqemud.local @@ -0,0 +1 @@ +# Site-specific additions and overrides for 'usr.sbin.virtqemud' diff --git a/src/security/apparmor/usr.sbin.virtxend.in b/src/security/apparmor/usr.sbin.virtxend.in index 72e0d801e5..719766a0c1 100644 --- a/src/security/apparmor/usr.sbin.virtxend.in +++ b/src/security/apparmor/usr.sbin.virtxend.in @@ -52,4 +52,7 @@ profile virtxend @sbindir@/virtxend flags=(attach_disconnected) { @libexecdir@/libvirt_iohelper ix, /etc/libvirt/hooks/** rmix, /etc/xen/scripts/** rmix, + + # Site-specific additions and overrides. See local/README for details. + include if exists } diff --git a/src/security/apparmor/usr.sbin.virtxend.local b/src/security/apparmor/usr.sbin.virtxend.local new file mode 100644 index 0000000000..2ade86d4df --- /dev/null +++ b/src/security/apparmor/usr.sbin.virtxend.local @@ -0,0 +1 @@ +# Site-specific additions and overrides for 'usr.sbin.virtxend'