apparmor: Make all profiles extensible

Do for all other profiles what we already do for the virt-aa-helper one. In this case we limit the feature to AppArmor 3.x, as it was never implemented for 2.x. Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Jim Fehlig <jfehlig@suse.com>
2025-01-22 04:25:18 +00:00 · 2023-06-29 12:04:02 +02:00 · 2023-06-29 12:04:02 +02:00 · 4c6feb832f
commit 4c6feb832f
parent 21a84ec994
3 changed files with 12 additions and 0 deletions
--- a/src/security/apparmor/usr.sbin.libvirtd.in
+++ b/src/security/apparmor/usr.sbin.libvirtd.in
@ -139,4 +139,8 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {

   /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix,
  }
+
+@BEGIN_APPARMOR_3@
+  include if exists <local/usr.sbin.libvirtd>
+@END_APPARMOR_3@
 }
--- a/src/security/apparmor/usr.sbin.virtqemud.in
+++ b/src/security/apparmor/usr.sbin.virtqemud.in
@ -132,4 +132,8 @@ profile virtqemud @sbindir@/virtqemud flags=(attach_disconnected) {

   /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix,
  }
+
+@BEGIN_APPARMOR_3@
+  include if exists <local/usr.sbin.virtqemud>
+@END_APPARMOR_3@
 }
--- a/src/security/apparmor/usr.sbin.virtxend.in
+++ b/src/security/apparmor/usr.sbin.virtxend.in
@ -52,4 +52,8 @@ profile virtxend @sbindir@/virtxend flags=(attach_disconnected) {
  @libexecdir@/libvirt_iohelper ix,
  /etc/libvirt/hooks/** rmix,
  /etc/xen/scripts/** rmix,
+
+@BEGIN_APPARMOR_3@
+  include if exists <local/usr.sbin.virtxend>
+@END_APPARMOR_3@
 }