apparmor: Add support for local profile customizations

Apparmor profiles in /etc/apparmor.d/ are config files that can and should be replaced on package upgrade, which introduces the potential to overwrite any local changes. Apparmor supports local profile customizations via /etc/apparmor.d/local/<service> [1]. This change makes the support explicit by adding libvirtd, virtqemud, and virtxend profile customization stubs to /etc/apparmor.d/local/. The stubs are conditionally included by the corresponding main profiles. [1] https://ubuntu.com/server/docs/security-apparmor See "Profile customization" section Signed-off-by: Jim Fehlig <jfehlig@suse.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2024-12-22 05:35:25 +00:00 · 2023-06-06 11:05:50 -06:00 · 2023-06-06 11:05:50 -06:00 · 9b743ee190
commit 9b743ee190
parent 17565ee0aa
7 changed files with 19 additions and 5 deletions
--- a/src/security/apparmor/meson.build
+++ b/src/security/apparmor/meson.build
@ -34,8 +34,10 @@ install_data(
  install_dir: apparmor_dir / 'libvirt',
 )

-install_data(
-  'usr.lib.libvirt.virt-aa-helper.local',
-  install_dir: apparmor_dir / 'local',
-  rename: 'usr.lib.libvirt.virt-aa-helper',
-)
+foreach name : apparmor_gen_profiles
+  install_data(
+    '@0@.local'.format(name),
+    install_dir: apparmor_dir / 'local',
+    rename: name,
+  )
+endforeach
--- a/src/security/apparmor/usr.sbin.libvirtd.in
+++ b/src/security/apparmor/usr.sbin.libvirtd.in
@ -139,4 +139,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {

   /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix,
  }
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/usr.sbin.libvirtd>
 }
--- a/src/security/apparmor/usr.sbin.libvirtd.local
+++ b/src/security/apparmor/usr.sbin.libvirtd.local
@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.sbin.libvirtd'
--- a/src/security/apparmor/usr.sbin.virtqemud.in
+++ b/src/security/apparmor/usr.sbin.virtqemud.in
@ -132,4 +132,7 @@ profile virtqemud @sbindir@/virtqemud flags=(attach_disconnected) {

   /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix,
  }
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/usr.sbin.virtqemud>
 }
--- a/src/security/apparmor/usr.sbin.virtqemud.local
+++ b/src/security/apparmor/usr.sbin.virtqemud.local
@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.sbin.virtqemud'
--- a/src/security/apparmor/usr.sbin.virtxend.in
+++ b/src/security/apparmor/usr.sbin.virtxend.in
@ -52,4 +52,7 @@ profile virtxend @sbindir@/virtxend flags=(attach_disconnected) {
  @libexecdir@/libvirt_iohelper ix,
  /etc/libvirt/hooks/** rmix,
  /etc/xen/scripts/** rmix,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/usr.sbin.virtxend>
 }
--- a/src/security/apparmor/usr.sbin.virtxend.local
+++ b/src/security/apparmor/usr.sbin.virtxend.local
@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.sbin.virtxend'
				`@ -0,0 +1 @@`
				`# Site-specific additions and overrides for 'usr.sbin.libvirtd'`