apparmor: Improve virt-aa-helper include

For AppArmor 3.x we can use 'include if exists', which frees us from having to create a dummy override. For AppArmor 2.x we keep things as they are to avoid introducing regressions. Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Jim Fehlig <jfehlig@suse.com>
2024-07-07 18:35:46 +00:00 · 2023-06-29 11:40:16 +02:00 · 2023-06-29 11:40:16 +02:00 · 21a84ec994
commit 21a84ec994
parent b6092de883
2 changed files with 15 additions and 5 deletions
--- a/src/security/apparmor/meson.build
+++ b/src/security/apparmor/meson.build
@ -77,8 +77,13 @@ install_data(
  install_dir: apparmor_dir / 'libvirt',
 )

-install_data(
-  'usr.lib.libvirt.virt-aa-helper.local',
-  install_dir: apparmor_dir / 'local',
-  rename: 'usr.lib.libvirt.virt-aa-helper',
-)
+if not conf.has('WITH_APPARMOR_3')
+  # We only install the empty local override for AppArmor 2.x. For
+  # AppArmor 3.x, upstream's preference is to avoid creating these
+  # files in order to limit the amount of filesystem clutter.
+  install_data(
+    'usr.lib.libvirt.virt-aa-helper.local',
+    install_dir: apparmor_dir / 'local',
+    rename: 'usr.lib.libvirt.virt-aa-helper',
+  )
+endif
--- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
+++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
@ -71,5 +71,10 @@ profile virt-aa-helper @libexecdir@/virt-aa-helper {
  /**.[iI][sS][oO] r,
  /**/disk{,.*} r,

+@BEGIN_APPARMOR_3@
+  include if exists <local/usr.lib.libvirt.virt-aa-helper>
+@END_APPARMOR_3@
+@BEGIN_APPARMOR_2@
  #include <local/usr.lib.libvirt.virt-aa-helper>
+@END_APPARMOR_2@
 }