From nobody Sun Feb 8 10:21:53 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) client-ip=170.10.129.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=quarantine dis=quarantine) header.from=suse.com ARC-Seal: i=1; a=rsa-sha256; t=1686089190; cv=none; d=zohomail.com; s=zohoarc; b=i5tGGY25immGYez3cHn1WKHQ9371LftxgfK2GkBhitoV6Bfbuq6Ijm5P3J/GkDxopgYCGNHQPZF2c2GCPtk4SewG5nD6vQlMdXtzIAVNUmMsWHoSTVJW9KEUPqN9qTvf4Gt1QituGntxE/gBcqx3y5J0zHLzC9gmddw1Swgd9w4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1686089190; h=Content-Type:Content-Transfer-Encoding:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To; bh=J68xYDW5e7EeaEXmdGJe4hS0nZkHr5q8vGT8h268c34=; b=gjbX5lfehOIfIyVWGtKBQAc3wPTqAj2uSQQVixKyBH1D+Den07r6VyRuTAmmaLTfjsSoP6XeR6FynVFCQSi6s87GfIYU/orefJG/LTEJIXCHe29BNgt0VyLANKm9JXvNz5HfGQqdqY5MfmimrDZGTyExXtotLUT89kRNTDdTxpg= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail header.from= (p=quarantine dis=quarantine) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com with SMTPS id 1686089190331121.41398858902176; Tue, 6 Jun 2023 15:06:30 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-131-Byq4stPYPDKhG09l3QHquw-1; Tue, 06 Jun 2023 18:06:27 -0400 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 76FAE101A52C; Tue, 6 Jun 2023 22:06:25 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id A6EEA40CFD47; Tue, 6 Jun 2023 22:06:24 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 5DB7419465BC; Tue, 6 Jun 2023 22:06:24 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 0F1B319465BA for ; Tue, 6 Jun 2023 22:06:22 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id D0DF11121315; Tue, 6 Jun 2023 22:06:22 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast10.extmail.prod.ext.rdu2.redhat.com [10.11.55.26]) by smtp.corp.redhat.com (Postfix) with ESMTPS id C98E11121314 for ; Tue, 6 Jun 2023 22:06:22 +0000 (UTC) Received: from us-smtp-inbound-1.mimecast.com (us-smtp-2.mimecast.com [207.211.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 897541C00B9B for ; Tue, 6 Jun 2023 22:06:22 +0000 (UTC) Received: from EUR03-DBA-obe.outbound.protection.outlook.com (mail-dbaeur03on2062.outbound.protection.outlook.com [40.107.104.62]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-609-HG1sUekWNIue2gR_LGvYOg-1; Tue, 06 Jun 2023 18:06:21 -0400 Received: from DB7PR04MB5980.eurprd04.prod.outlook.com (2603:10a6:10:88::11) by PR3PR04MB7305.eurprd04.prod.outlook.com (2603:10a6:102:83::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6455.32; Tue, 6 Jun 2023 22:06:17 +0000 Received: from DB7PR04MB5980.eurprd04.prod.outlook.com ([fe80::d40:c763:d540:56f0]) by DB7PR04MB5980.eurprd04.prod.outlook.com ([fe80::d40:c763:d540:56f0%7]) with mapi id 15.20.6455.030; Tue, 6 Jun 2023 22:06:17 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1686089189; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=J68xYDW5e7EeaEXmdGJe4hS0nZkHr5q8vGT8h268c34=; b=OmTXsTS63hvveHqAsXOefl2lGvLXcroPuwJTkOpCRiqvcIqjrcNVLXCmvnGYfkmaX4BDN3 EM/rSHE+JD90nRJOObn9BHciwQnKeYGpSzDen52/Pa+eP39uzYlWsOuJHg8FcAJSqb1N1n LgoDYkpZaVhRlh7MBbaGEX+u/wrLuYQ= X-MC-Unique: Byq4stPYPDKhG09l3QHquw-1 X-Original-To: libvir-list@listman.corp.redhat.com X-MC-Unique: HG1sUekWNIue2gR_LGvYOg-1 From: Jim Fehlig To: libvir-list@redhat.com Subject: [PATCH] apparmor: Add support for local profile customizations Date: Tue, 6 Jun 2023 16:06:12 -0600 Message-ID: <20230606220612.32383-1-jfehlig@suse.com> X-ClientProxiedBy: FR0P281CA0113.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:a8::13) To DB7PR04MB5980.eurprd04.prod.outlook.com (2603:10a6:10:88::11) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DB7PR04MB5980:EE_|PR3PR04MB7305:EE_ X-MS-Office365-Filtering-Correlation-Id: 705db155-c6a1-4342-2aab-08db66da4018 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0 X-Microsoft-Antispam-Message-Info: /uurbWaJSWxeeb7B6w086zigV1EfQu9+EmP/tVYToKJTBK8akLHMobaVZPEQ37MDx6cNoB3BZM3+9M4O7DdlzgC6VtClEVR+EJpt+9XXIaQC26WIKD20kDs245ysdvCluL3ZWQrvbBLOQYcAxpVJsR02EYUA5QlmAjAbbViykyRjB+0jVtkYuDBW+RZUh673jhqsITyps1ucPo9yzxtzLTPOnWBugzJj4If3ZXL7ngOtJnWr2j2Sit2KHLST3kHz+a8zQkqxx+nYKbKI+x5kxPZ69aOGszliYOkenqLsqjrebV1a88UHrMFdI02Htvj85o3wz31JkO8YZw1NSHLIT8ExzdacAXVd5kN5EroxsirE0Y15eq2k5ViJgP03Wdcm2f0GTmtDJ76Z7SWNSq3Yc2sOyfXD/AaV8Whp18zZvo65EDSSn4KNx4yxqIJmbbZf6kcq8+rQDZAaIgFy+aAJFeZRgUgyy2nPlVRDdAzqZnMjmxFj06rZY8AbI18xp5Hd3m1dGDDXajJ8tsV5+LQ/lUCMmeTeaomS2i4vbBAWbuw= X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB7PR04MB5980.eurprd04.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(39860400002)(346002)(366004)(376002)(396003)(136003)(451199021)(83380400001)(186003)(2906002)(2616005)(36756003)(86362001)(38100700002)(966005)(6486002)(316002)(41300700001)(6666004)(6506007)(5660300002)(8676002)(8936002)(478600001)(66476007)(6916009)(66556008)(66946007)(6512007)(26005)(1076003); DIR:OUT; SFP:1101 X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?t0fpQrHe36nkjxawN8nzcihAnl68teofm18/PkhQH0Uy+SqBXE1MmQ2Qm7pX?= =?us-ascii?Q?YQsc/aCLZX4a4DOjhvIFMA5ULZ+ds0ENQ4KbLp6ZkgzNUF/tmtZS7IxBPoen?= =?us-ascii?Q?NsfcFT65M28Um2/IfpnBFXM+DxJvzMRJV82lzeTJ5lHr1tLpd0IasUFR1IOF?= =?us-ascii?Q?0KuY0GVp/R68OjPA4S0eLA4LLzYYE13OC7SqSTcTtFIqxuiYMV7jp54odjQg?= =?us-ascii?Q?ZTMjlHR6eR8J63TPVGKlF1mdzjnaWdLLMYLG7UP4hN6n3hwCp/7//qjOLAzO?= =?us-ascii?Q?r/x8ElvIISqH8Gw0dEd69jFpKKrPDqh+/ynYkVkLP6f/uHuXQnou4oyqs36X?= =?us-ascii?Q?+AG4EtWSrgyjaO2PpKb6ZHaAmgHJPULt4FZgsZkEAH/3tyM/unHBj4mHUT2F?= =?us-ascii?Q?JXtZRqoLtke8TJtkp+w10cLef1n1urUsW6R3uGtfvXDilqQL/bb3gQQXzbWa?= =?us-ascii?Q?BGukwuhvWb3HqUdnaQeNb9EiFNPT9VxReCsE0VyDFSVelmIH7f3k5/2Ukgv/?= =?us-ascii?Q?ZmjpunqkyAjqeAq38/qugeFZIirBrJbSFnyipFnQJL9XHprd+cDJcNSMPJ2C?= =?us-ascii?Q?ZHmW1WCKwc8JGChCxMm6wk/JAsPkDbCezQDzwG2cIMfJdRZ9dkCoBuDrTSzN?= =?us-ascii?Q?d5rG1qhua2hEoJCpKgldzjBByBSvGnsZZzF2yfmxN9MBzIAaixmPSMsbd5dS?= =?us-ascii?Q?oaXBKGoZdYFRyNRQV8Qzu9KjzY+9COR9F09XXMqPRQ08USjzXclMGcVOtyzy?= =?us-ascii?Q?U7pQ+1pyMSRDASlf486oUySBZTYp/cTFAEJSafaMj2tzb399+s5C7BuwOQDo?= =?us-ascii?Q?gmIA8XeI7NoZ0bWOqb2a2R8BIem5EKGJ0yJj28t3yT91jImRpcd/IL0oafIt?= =?us-ascii?Q?MXVVvWJgxt76ulPx7tVCoEgpCaGg/7aoINto4jhhVzTsKeyhuhh3/jmzy/HY?= =?us-ascii?Q?z1+VIG2t6/bkpg5t2Jn2SBS3tY8Fn53nyVaqPKOZohsIXKJ22bmXZISX7Kvo?= =?us-ascii?Q?4P/PU6Lv2EfwNWWHYauxrVMQUTGSiWbWVWmg7a/VCCRT5l6cabHQMbLrr/3o?= =?us-ascii?Q?OSSDQzLn6H5YhkEcANOTV9zsYktsbdk+FDJa/Hs/K6LUHJ+Je0V0MyqNeoJz?= =?us-ascii?Q?CZdr0qBFfjfTLEdW885x/oI1Lsa/w3VhH9n85KkFb+7JcC3OM6m4U6j0kpKd?= =?us-ascii?Q?lJfF6JMZYO8TfCb426sQ4qFbnZmuhPJJdEDO3pCMUEep+2HGohM32e+6zs4Q?= =?us-ascii?Q?OGiGS8XodLc+f4WFaon5yoJOR7ObkbIQwWPs0xdtOalqx+x78TIKjJYt3hIy?= =?us-ascii?Q?fXKwDkCn+x+VuIafs9t1Qs+j0Dwfwvh58IAZ2HYG+2Gi0IrClq+3wIbtPGPE?= =?us-ascii?Q?A7BELNlR5o+BikqApIx14YgS1Jz5jwI2ntyTQHHFQlKuJUhAkcWnSNvauBew?= =?us-ascii?Q?vozrPiQJH96O9/znkfDYwuRnzOuoUATUVbdqcrdDuG9x8EXwp4LNzDw5ju1d?= =?us-ascii?Q?8sGI7xcG32tXxBuHAoOBjVgR7YP0m/n8bNBFd5yh7wsQzzZFDBq5q4g9c3qU?= =?us-ascii?Q?ByLn0eAQUIYHjbCBjgyfy2/Q8CzXV1dTYqp+6nP3?= X-OriginatorOrg: suse.com X-MS-Exchange-CrossTenant-Network-Message-Id: 705db155-c6a1-4342-2aab-08db66da4018 X-MS-Exchange-CrossTenant-AuthSource: DB7PR04MB5980.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Jun 2023 22:06:17.3015 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: f7a17af6-1c5c-4a36-aa8b-f5be247aa4ba X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: wqUPECnyAK2K5vK8pFO8PEEEnu0QdTNSBhnI7B8tLWhECw1BfvYEPUmqhEi42YittUdZ0oJkMBBxnUFRuaLfxA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PR3PR04MB7305 X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 3.1 on 10.11.54.3 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.1 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: suse.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1686089192160100001 Content-Type: text/plain; charset="utf-8" Apparmor profiles in /etc/apparmor.d/ are config files that can and should be replaced on package upgrade, which introduces the potential to overwrite any local changes. Apparmor supports local profile customizations via /etc/apparmor.d/local/ [1]. This change makes the support explicit by adding libvirtd, virtqemud, and virtxend profile customization stubs to /etc/apparmor.d/local/. The stubs are conditionally included by the corresponding main profiles. [1] https://ubuntu.com/server/docs/security-apparmor See "Profile customization" section Signed-off-by: Jim Fehlig Reviewed-by: Michal Privoznik --- This patch was inspired by an internal bug report. The SUSE libvirt package has marked /etc/apparmor.d/ profiles as 'config(noreplace)' for as long as I can remember. On rare occasions a profile receives a change that is required to avoid regression. And on rarer occasions a user might have made local customizations to the profile. With 'noreplace', the trap is set for the user to experience the regression. Unless other apparmor users convince me otherwise, I'm planning to make this change in the SUSE package, along with changing the main /etc/apparmor.d/ profiles to 'config' and using 'config(noreplace)' for the local customizations only. Note: I'm fine keeping this as a downstream-only patch if upstream isn't interested in the clutter. src/security/apparmor/meson.build | 12 +++++++----- src/security/apparmor/usr.sbin.libvirtd.in | 3 +++ src/security/apparmor/usr.sbin.libvirtd.local | 1 + src/security/apparmor/usr.sbin.virtqemud.in | 3 +++ src/security/apparmor/usr.sbin.virtqemud.local | 1 + src/security/apparmor/usr.sbin.virtxend.in | 3 +++ src/security/apparmor/usr.sbin.virtxend.local | 1 + 7 files changed, 19 insertions(+), 5 deletions(-) diff --git a/src/security/apparmor/meson.build b/src/security/apparmor/meso= n.build index 58b4024b85..02a6d098ad 100644 --- a/src/security/apparmor/meson.build +++ b/src/security/apparmor/meson.build @@ -34,8 +34,10 @@ install_data( install_dir: apparmor_dir / 'libvirt', ) =20 -install_data( - 'usr.lib.libvirt.virt-aa-helper.local', - install_dir: apparmor_dir / 'local', - rename: 'usr.lib.libvirt.virt-aa-helper', -) +foreach name : apparmor_gen_profiles + install_data( + '@0@.local'.format(name), + install_dir: apparmor_dir / 'local', + rename: name, + ) +endforeach diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/appa= rmor/usr.sbin.libvirtd.in index edb8dd8e26..41bdef53ec 100644 --- a/src/security/apparmor/usr.sbin.libvirtd.in +++ b/src/security/apparmor/usr.sbin.libvirtd.in @@ -139,4 +139,7 @@ profile libvirtd @sbindir@/libvirtd flags=3D(attach_dis= connected) { =20 /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix, } + + # Site-specific additions and overrides. See local/README for details. + include if exists } diff --git a/src/security/apparmor/usr.sbin.libvirtd.local b/src/security/a= pparmor/usr.sbin.libvirtd.local new file mode 100644 index 0000000000..3716400022 --- /dev/null +++ b/src/security/apparmor/usr.sbin.libvirtd.local @@ -0,0 +1 @@ +# Site-specific additions and overrides for 'usr.sbin.libvirtd' diff --git a/src/security/apparmor/usr.sbin.virtqemud.in b/src/security/app= armor/usr.sbin.virtqemud.in index f269c60809..3ebdbf2a8f 100644 --- a/src/security/apparmor/usr.sbin.virtqemud.in +++ b/src/security/apparmor/usr.sbin.virtqemud.in @@ -132,4 +132,7 @@ profile virtqemud @sbindir@/virtqemud flags=3D(attach_d= isconnected) { =20 /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix, } + + # Site-specific additions and overrides. See local/README for details. + include if exists } diff --git a/src/security/apparmor/usr.sbin.virtqemud.local b/src/security/= apparmor/usr.sbin.virtqemud.local new file mode 100644 index 0000000000..2ac68bb069 --- /dev/null +++ b/src/security/apparmor/usr.sbin.virtqemud.local @@ -0,0 +1 @@ +# Site-specific additions and overrides for 'usr.sbin.virtqemud' diff --git a/src/security/apparmor/usr.sbin.virtxend.in b/src/security/appa= rmor/usr.sbin.virtxend.in index 72e0d801e5..719766a0c1 100644 --- a/src/security/apparmor/usr.sbin.virtxend.in +++ b/src/security/apparmor/usr.sbin.virtxend.in @@ -52,4 +52,7 @@ profile virtxend @sbindir@/virtxend flags=3D(attach_disco= nnected) { @libexecdir@/libvirt_iohelper ix, /etc/libvirt/hooks/** rmix, /etc/xen/scripts/** rmix, + + # Site-specific additions and overrides. See local/README for details. + include if exists } diff --git a/src/security/apparmor/usr.sbin.virtxend.local b/src/security/a= pparmor/usr.sbin.virtxend.local new file mode 100644 index 0000000000..2ade86d4df --- /dev/null +++ b/src/security/apparmor/usr.sbin.virtxend.local @@ -0,0 +1 @@ +# Site-specific additions and overrides for 'usr.sbin.virtxend' --=20 2.40.1