This is a stab at a V2 of

https://listman.redhat.com/archives/libvir-list/2023-June/240219.html

That patch was ACKed and committed, but reverted before the 9.5.0 release
since it could be problematic with older apparmor 2.x versions still
supported by libvirt.

Andrea suggested copies of the profiles for apparmor 2.x and 3.x. This
series takes that approach, with patch 1 making an identical copy of the
src/security/apparmor directory. Patches 2 and 3 then adjust the profiles
accordingly.

My approach to copying the existing directory does introduce some duplicate
files in the tree, but otherwise it's minimally disruptive and will be easy
to rip out when upstream libvirt no longer needs to support apparmor 2.x.

FYI, so far I've only tested with apparmor 3.x, but I did push the changes
to my fork with CI enabled

https://gitlab.com/jfehlig/libvirt/-/pipelines/915347878

Thanks for comments/suggestions!

Jim Fehlig (3):
  apparmor: Create version specific apparmor profiles
  apparmor: Remove support for passt from apparmor 2.x
  apparmor: Add support for local profile customizations

 meson.build                                   |   6 +-
 src/security/apparmor-2/TEMPLATE.lxc          |  15 +
 src/security/apparmor-2/TEMPLATE.qemu         |   9 +
 src/security/apparmor-2/libvirt-lxc           | 118 ++++++++
 src/security/apparmor-2/libvirt-qemu          | 256 ++++++++++++++++++
 src/security/apparmor-2/meson.build           |  41 +++
 .../usr.lib.libvirt.virt-aa-helper.in         |  75 +++++
 .../usr.lib.libvirt.virt-aa-helper.local      |   1 +
 src/security/apparmor-2/usr.sbin.libvirtd.in  | 142 ++++++++++
 src/security/apparmor-2/usr.sbin.virtqemud.in | 135 +++++++++
 src/security/apparmor-2/usr.sbin.virtxend.in  |  55 ++++
 src/security/apparmor/libvirt-lxc             |   3 +
 src/security/apparmor/libvirt-qemu            |   3 +
 src/security/apparmor/usr.sbin.libvirtd.in    |   5 +-
 src/security/apparmor/usr.sbin.virtqemud.in   |   3 +
 src/security/apparmor/usr.sbin.virtxend.in    |   3 +
 src/security/meson.build                      |   3 +
 17 files changed, 871 insertions(+), 2 deletions(-)
 create mode 100644 src/security/apparmor-2/TEMPLATE.lxc
 create mode 100644 src/security/apparmor-2/TEMPLATE.qemu
 create mode 100644 src/security/apparmor-2/libvirt-lxc
 create mode 100644 src/security/apparmor-2/libvirt-qemu
 create mode 100644 src/security/apparmor-2/meson.build
 create mode 100644 src/security/apparmor-2/usr.lib.libvirt.virt-aa-helper.in
 create mode 100644 src/security/apparmor-2/usr.lib.libvirt.virt-aa-helper.local
 create mode 100644 src/security/apparmor-2/usr.sbin.libvirtd.in
 create mode 100644 src/security/apparmor-2/usr.sbin.virtqemud.in
 create mode 100644 src/security/apparmor-2/usr.sbin.virtxend.in

-- 
2.41.0

On Wed, Jun 28, 2023 at 05:15:26PM -0600, Jim Fehlig wrote:
> This is a stab at a V2 of
>
> https://listman.redhat.com/archives/libvir-list/2023-June/240219.html
>
> That patch was ACKed and committed, but reverted before the 9.5.0 release
> since it could be problematic with older apparmor 2.x versions still
> supported by libvirt.
>
> Andrea suggested copies of the profiles for apparmor 2.x and 3.x. This
> series takes that approach, with patch 1 making an identical copy of the
> src/security/apparmor directory. Patches 2 and 3 then adjust the profiles
> accordingly.
>
> My approach to copying the existing directory does introduce some duplicate
> files in the tree, but otherwise it's minimally disruptive and will be easy
> to rip out when upstream libvirt no longer needs to support apparmor 2.x.
>
> FYI, so far I've only tested with apparmor 3.x, but I did push the changes
> to my fork with CI enabled
>
> https://gitlab.com/jfehlig/libvirt/-/pipelines/915347878
>
> Thanks for comments/suggestions!
>
> Jim Fehlig (3):
>   apparmor: Create version specific apparmor profiles
>   apparmor: Remove support for passt from apparmor 2.x
>   apparmor: Add support for local profile customizations

I'm not a fan of this approach. It introduces a lot of duplication
for what are ultimately just a dozen or so lines that need to be
different between the 2.x and 3.x profiles; most importantly, I'm
very concerned about the two copies accidentally drifting apart over
the ~2 years that separate us from the joyous day when we can finally
stop caring about 2.x.

Please have a look at my attempt:

  https://listman.redhat.com/archives/libvir-list/2023-June/240544.html

-- 
Andrea Bolognani / Red Hat / Virtualization

On 6/29/23 07:21, Andrea Bolognani wrote:
> On Wed, Jun 28, 2023 at 05:15:26PM -0600, Jim Fehlig wrote:
>> This is a stab at a V2 of
>>
>> https://listman.redhat.com/archives/libvir-list/2023-June/240219.html
>>
>> That patch was ACKed and committed, but reverted before the 9.5.0 release
>> since it could be problematic with older apparmor 2.x versions still
>> supported by libvirt.
>>
>> Andrea suggested copies of the profiles for apparmor 2.x and 3.x. This
>> series takes that approach, with patch 1 making an identical copy of the
>> src/security/apparmor directory. Patches 2 and 3 then adjust the profiles
>> accordingly.
>>
>> My approach to copying the existing directory does introduce some duplicate
>> files in the tree, but otherwise it's minimally disruptive and will be easy
>> to rip out when upstream libvirt no longer needs to support apparmor 2.x.
>>
>> FYI, so far I've only tested with apparmor 3.x, but I did push the changes
>> to my fork with CI enabled
>>
>> https://gitlab.com/jfehlig/libvirt/-/pipelines/915347878
>>
>> Thanks for comments/suggestions!
>>
>> Jim Fehlig (3):
>>    apparmor: Create version specific apparmor profiles
>>    apparmor: Remove support for passt from apparmor 2.x
>>    apparmor: Add support for local profile customizations
> 
> I'm not a fan of this approach. It introduces a lot of duplication
> for what are ultimately just a dozen or so lines that need to be
> different between the 2.x and 3.x profiles; most importantly, I'm
> very concerned about the two copies accidentally drifting apart over
> the ~2 years that separate us from the joyous day when we can finally
> stop caring about 2.x.
> 
> Please have a look at my attempt:
> 
>    https://listman.redhat.com/archives/libvir-list/2023-June/240544.html
> 

I was going down the same path until I thought of the more brute force approach, 
which I admit to be fond of due to ease of ripping out the 2.x stuff when no 
longer needed. But yeah, two copies of the profiles is not nice.

I'll take a closer look at your patches now.

Regards,
Jim

Hello,

Am Donnerstag, 29. Juni 2023, 19:05:09 CEST schrieb Jim Fehlig:
[...]
> I was going down the same path until I thought of the more brute force
> approach, which I admit to be fond of due to ease of ripping out the
> 2.x stuff when no longer needed. But yeah, two copies of the profiles
> is not nice.

I have quite some experience with [getting rid of] code duplication [1], 
and "not nice" is a very diplomatic description ;-)

> I'll take a closer look at your patches now.

I had a look, and those conditional blocks look much better than 
duplicating the whole directory.


Another thing you might want to add to all profiles and abstractions for 
AppArmor >= 3.0 is
    abi <abi/3.0>,

This will enable enforcing of some newer rule types - which might mean 
that you need to add a few new rules to the profiles.
See the "Feature ABI" section in   man 5 apparmor.d   for details.

(Since this is unrelated to local/, adding the abi lines should probably 
be a separate patch.)


Regards,

Christian Boltz

[1] unrelated to AppArmor
-- 
File Not Found.....Loading something that looks similar