From 21a84ec994f1228926c445bf9956b0fa1e281c1c Mon Sep 17 00:00:00 2001 From: Andrea Bolognani Date: Thu, 29 Jun 2023 11:40:16 +0200 Subject: [PATCH] apparmor: Improve virt-aa-helper include For AppArmor 3.x we can use 'include if exists', which frees us from having to create a dummy override. For AppArmor 2.x we keep things as they are to avoid introducing regressions. Signed-off-by: Andrea Bolognani Reviewed-by: Jim Fehlig --- src/security/apparmor/meson.build | 15 ++++++++++----- .../apparmor/usr.lib.libvirt.virt-aa-helper.in | 5 +++++ 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/src/security/apparmor/meson.build b/src/security/apparmor/meson.build index 8bc2405f88..b9257c816d 100644 --- a/src/security/apparmor/meson.build +++ b/src/security/apparmor/meson.build @@ -77,8 +77,13 @@ install_data( install_dir: apparmor_dir / 'libvirt', ) -install_data( - 'usr.lib.libvirt.virt-aa-helper.local', - install_dir: apparmor_dir / 'local', - rename: 'usr.lib.libvirt.virt-aa-helper', -) +if not conf.has('WITH_APPARMOR_3') + # We only install the empty local override for AppArmor 2.x. For + # AppArmor 3.x, upstream's preference is to avoid creating these + # files in order to limit the amount of filesystem clutter. + install_data( + 'usr.lib.libvirt.virt-aa-helper.local', + install_dir: apparmor_dir / 'local', + rename: 'usr.lib.libvirt.virt-aa-helper', + ) +endif diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in index ff1d46bebe..26ee20a17d 100644 --- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in +++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in @@ -71,5 +71,10 @@ profile virt-aa-helper @libexecdir@/virt-aa-helper { /**.[iI][sS][oO] r, /**/disk{,.*} r, +@BEGIN_APPARMOR_3@ + include if exists +@END_APPARMOR_3@ +@BEGIN_APPARMOR_2@ #include +@END_APPARMOR_2@ }