From d9c21f4bfc1ab74a84bf54968caf9f16e7efe9df Mon Sep 17 00:00:00 2001 From: Christian Ehrhardt Date: Thu, 6 Aug 2020 16:54:34 +0200 Subject: [PATCH] apparmor: allow adding permanent per guest rules MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The design of apparmor in libvirt always had a way to define custom per-guest rules as described in docs/drvqemu.html and [1]. A fix meant to clean the profiles after guest shutdown was a bit overzealous and accidentially removed this important admin feature as well. Therefore reduce the --delete option of virt-aa-helper to only delete the .files that would be re-generated in any case. Users/Admins are always free to clean the profiles themselve if they prefer a clean directory - they will be regenerated as needed. But libvirt should never remove the base profile meant to allow per-guest overrides and thereby break a documented feature. [1]: https://gitlab.com/apparmor/apparmor/-/wikis/Libvirt#advanced-usage Fixes: eba2225b "apparmor: delete profile on VM shutdown" Signed-off-by: Christian Ehrhardt Reviewed-by: Daniel P. Berrangé --- src/security/virt-aa-helper.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index dadb9d1614..4b66422b8f 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -99,7 +99,7 @@ vah_usage(void) " Modes:\n" " -a | --add load profile\n" " -c | --create create profile from template\n" - " -D | --delete unload and delete profile\n" + " -D | --delete unload profile and delete generated rules\n" " -r | --replace reload profile\n" " -R | --remove unload profile\n" " Options:\n" @@ -1491,7 +1491,6 @@ main(int argc, char **argv) rc = parserRemove(ctl->uuid); if (ctl->cmd == 'D') { unlink(include_file); - unlink(profile); } } else if (ctl->cmd == 'c' || ctl->cmd == 'r') { char *included_files = NULL;