virt-aa-helper: use 'include if exists' on .files

Change the 'include' in the AppArmor policy to use 'include if exists' when including <uuid>.files. Note that 'if exists' is only available after AppArmor 3.0, therefore a #ifdef check must be added. When the <uuid>.files is not present, there are some failures in the AppArmor tools like the following, since they expect the file to exist when using 'include': ERROR: Include file /etc/apparmor.d/libvirt/libvirt-8534a409-a460-4fab-a2dd-0e1dce4ff273.files not found Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2024-11-05 04:41:20 +00:00 · 2024-06-04 14:34:56 -03:00 · 2024-06-04 14:34:56 -03:00 · a2455fd53d
commit a2455fd53d
parent a7eb7de531
1 changed files with 6 additions and 1 deletions
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@ -1564,7 +1564,12 @@ main(int argc, char **argv)
        /* create the profile from TEMPLATE */
        if (ctl->cmd == 'c' || purged) {
            char *tmp = NULL;
-            tmp = g_strdup_printf("  #include <libvirt/%s.files>\n", ctl->uuid);
+#if defined(WITH_APPARMOR_3)
+            const char *ifexists = "if exists ";
+#else
+            const char *ifexists = "";
+#endif
+            tmp = g_strdup_printf("  #include %s<libvirt/%s.files>\n", ifexists, ctl->uuid);

            if (ctl->dryrun) {
                vah_info(profile);