From nobody Mon Feb 9 03:13:55 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) client-ip=170.10.129.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=quarantine dis=quarantine) header.from=suse.com ARC-Seal: i=1; a=rsa-sha256; t=1687994286; cv=none; d=zohomail.com; s=zohoarc; b=i5ZvDKIT1OH3a2KMlKOh/siyyDnTutmlPhlU9KVIJ28wF3fnsZLK9SDjrrHRbEleyVbNXgueJmEpj8CzhS586SeRiyBQYTjQtF8p2tsyAKKr8TiPVDQk4p6jRrduqWeEAy02OobN6p7uWWRTnop2Egepr9Ez2ua2+jl2deh0J7k= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1687994286; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=im7Y3AGpDxO2j1ilgmJ7sdAi/oBEbw+ZCwC3pSyze64=; b=dQYnPChQnMCCDRDTqWUc0qXClRKCCk/HG8JgUIyGKQVmqFGXWNqKQgPCjXEMi9zgv7jHEQkR2XZdRkvktWMDgvFJUfJp3DLwCnZpAs/0HQhOHRxi+L4UHiVVSyTCb5VEtYH5ub1bXLsUw8PyFAJBMM7vTfB4+jkvxY1sZBdQtKI= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail header.from= (p=quarantine dis=quarantine) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com with SMTPS id 1687994286767172.13433030283386; Wed, 28 Jun 2023 16:18:06 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-631-PRe2W4g-MlyFjVNntfr5HQ-1; Wed, 28 Jun 2023 19:17:59 -0400 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id B5F7E856F67; Wed, 28 Jun 2023 23:17:53 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 9C4A340C6CD1; Wed, 28 Jun 2023 23:17:53 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 4A5961946594; Wed, 28 Jun 2023 23:17:53 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.rdu2.redhat.com [10.11.54.9]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 9088B19465B6 for ; Wed, 28 Jun 2023 23:17:52 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 7F88640D1C9; Wed, 28 Jun 2023 23:17:52 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast04.extmail.prod.ext.rdu2.redhat.com [10.11.55.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 77FAB492B02 for ; Wed, 28 Jun 2023 23:17:52 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [205.139.110.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 418DE101A54E for ; Wed, 28 Jun 2023 23:17:52 +0000 (UTC) Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2083.outbound.protection.outlook.com [40.107.22.83]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-128-ykNIE_xGODqa6pNYDiPsZg-1; Wed, 28 Jun 2023 19:17:50 -0400 Received: from DB7PR04MB5980.eurprd04.prod.outlook.com (2603:10a6:10:88::11) by PAXPR04MB8111.eurprd04.prod.outlook.com (2603:10a6:102:1c7::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6521.26; Wed, 28 Jun 2023 23:17:48 +0000 Received: from DB7PR04MB5980.eurprd04.prod.outlook.com ([fe80::8209:a05f:7b01:24c0]) by DB7PR04MB5980.eurprd04.prod.outlook.com ([fe80::8209:a05f:7b01:24c0%5]) with mapi id 15.20.6521.026; Wed, 28 Jun 2023 23:17:48 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1687994285; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=im7Y3AGpDxO2j1ilgmJ7sdAi/oBEbw+ZCwC3pSyze64=; b=aBjHq9T+lPaMcw6wp/gmq/x4HS4PIqVHVFF6dJTXfTRY+5ngh7lPy45lScEOGO7iYgwtBw 1TNEwVkQU6X2RL9d8SCuJmDTVkngFEjDnVTrLOdUawXXxw7SBkRJMw7cVHgXWXSnHikkIA JZgZOuzcKGJsi315VqEnCmPv0bAltD0= X-MC-Unique: PRe2W4g-MlyFjVNntfr5HQ-1 X-Original-To: libvir-list@listman.corp.redhat.com X-MC-Unique: ykNIE_xGODqa6pNYDiPsZg-1 From: Jim Fehlig To: libvir-list@redhat.com Subject: [PATCH V2 3/3] apparmor: Add support for local profile customizations Date: Wed, 28 Jun 2023 17:15:29 -0600 Message-ID: <20230628231724.14632-4-jfehlig@suse.com> In-Reply-To: <20230628231724.14632-1-jfehlig@suse.com> References: <20230628231724.14632-1-jfehlig@suse.com> X-ClientProxiedBy: MW3PR06CA0028.namprd06.prod.outlook.com (2603:10b6:303:2a::33) To DB7PR04MB5980.eurprd04.prod.outlook.com (2603:10a6:10:88::11) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DB7PR04MB5980:EE_|PAXPR04MB8111:EE_ X-MS-Office365-Filtering-Correlation-Id: ec4a56f8-7eaf-4fc4-a437-08db782de2f6 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0 X-Microsoft-Antispam-Message-Info: A4X0s+bRld7yA8CfJ33cl1OcB0wSLxTUItb2lfZv0PmD2Hdk7qMM0XqF1rid0Tr9FqzSLUgnWJPxu1EWiD5l8xcEHHy/sku53OaLyJV7nCHuVmc5XqhHxPT8EwORoupnyj4Ilzeyh9DoTmy6Ch8AlGnLSlTc+Ivmdr3Lk+PjZQ08PrjKJdlIViBrLJiEt+c3QqKeQTCa+qLrDK8DZgJwxQ3i4vKCYH0cWVsRzohnozFH7lfAoUvjjy/OL2SHVdnEaQpk1Qo09Q3NGEG5RKNZRIpu0NtjP+p0cDdkMT9nCn3HeVLbnklCTMLgQpUpFlY12nqJNelTGvvPcgGQJo8G95MhhnbuvawjL20iggP9O/06m8rV1UCUBYtqOryvJ0Iu8LzjdwZbHEZRhVyzNb07Tq/JgA9JNqvRopKwgf9ZjqblJVFP0IsUQ4NKSwq4oi/SDOgaEAcz2eQiahqfBNn6EH97Vc5DohSTOukwF+nL/HWVgSlZz9RevbgQ/WnsVv0W0WgFY49JXSTLkImw9NprvJ3ryDzIciDoST7EIvgub3KbMnTOnM5iF9LKnyienH+e X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB7PR04MB5980.eurprd04.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(396003)(39860400002)(366004)(376002)(346002)(136003)(451199021)(1076003)(2906002)(6486002)(6666004)(6512007)(186003)(83380400001)(2616005)(38100700002)(6506007)(41300700001)(86362001)(66476007)(316002)(66946007)(66556008)(6916009)(4326008)(36756003)(8936002)(26005)(8676002)(478600001)(5660300002); DIR:OUT; SFP:1101 X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?7OxbIiG9hYd1TqO3x/nUrX3MILjk5VWqyWt9IWa6IjpIChkHQNMQUvZkmOlx?= =?us-ascii?Q?6b3mm9d7KmdGyZ1x3WbDDdDZDCFMzga11Rk8HEuV6FZQziLRkcAct+eVTebQ?= =?us-ascii?Q?YdecHNEzPzTvZmJI2ZbXqTAOaf9TZ82D3dWjmm0y49YlTaG7K4shqGQsQb56?= =?us-ascii?Q?bSPUqJwPy0mqOonj6gkOE0SpBY2fx5QYzeAE1puO9NJuyUpeAF97f4RmVmg4?= =?us-ascii?Q?Lf769P430jFhBKiJylewVq8bUjbe5Kl39R1Y8s7gVyRW5Az7xwT5hTAUktWw?= =?us-ascii?Q?m1hggKezGfnCuf+D8IvUxxptW1+creutH1roz1A756aaCgVgdXKap/l8pW8T?= =?us-ascii?Q?9yvpIoj7sjddByel1EyBch7/9VgjJB2dNaksWw9SfH3cdmrrxE5NXk3/NBS5?= =?us-ascii?Q?Tik6bTxiulklg0B9y+bU2Ss2qIhZ1utQv7Y9fU9GgDgcZHz6LJUJ5+QoHaW1?= =?us-ascii?Q?VO5GbSMflYE9Q7F0+geYxGIpmRA82HwjYe/VZfCvf5G4j23hYcLidSSxhlcV?= =?us-ascii?Q?YmVIOEO9hs6m5eVXUFCQZ0HEtFyX6a20Vmk7LFtSsHY+vBWMPZHVGs96qIEU?= =?us-ascii?Q?YZKzrMQHKfis+gm8GPRYaZ4YUl/HuGsl3UEEJvQoj6YeUAvyS5ry2mzz1lpO?= =?us-ascii?Q?vatBv06dhjL565w38QICM7OzYAPAbSojfkzqOUulTT2xyAJ9PYMU7rKJjhvY?= =?us-ascii?Q?tYTYlWeLNFDysLSiSfI/dYbwkQwm/1Ka2e/5ZG7de+WyPmVpEQ1SPJWMd6CT?= =?us-ascii?Q?S/MtH6s5wfyorrES2z10O+6VNsVt8gNMuO0DCJPq9dGNPPfsmfxLqVYox0T6?= =?us-ascii?Q?0jSomX/cJEy0GurI5Rbv+kI6x3q2lSH0M0Y0bTqosWhlS6pIZ/NsXYLowWvx?= =?us-ascii?Q?xN2WeGZ1aJJiCzkzuqR8hp67CYhT9pBr59dTI92+BOZIQSgKBKXwglSPweDW?= =?us-ascii?Q?XFdRAapcAMS0siALOt8D2vYYT5YkCHUG631U3KmXlQzDx8QJVxHIgjdtxYRN?= =?us-ascii?Q?fVwtFQ7uEzyvvRA//jf4HXANe0YRI9kY7EKht7L9XBs/7qJgCKTUCaGT47ZH?= =?us-ascii?Q?7ItxHYdaeqfzVvVTjaCScGr7R7XR7MRoqLLkvIy/LcCWrfYwpYJ54LJM3+zm?= =?us-ascii?Q?6NJrbtBL27t7iTcrCEJVJqIBoENAunGcOYXUMkLzcu02YTkxcgKyNaFz9d7q?= =?us-ascii?Q?9rr2nzFzDRwhrogubx4HETkzbzSabM6JFlRsF+p6GGZ6jBb3m3cN+DTKJcpT?= =?us-ascii?Q?nPunr/kd7PYZ7BsBV5qI+4swVMbEXtRpbdP3JCKrZZHYzgmKXMgj1+/u+ICh?= =?us-ascii?Q?H2AoDHDCqxr8ekqoE1xjlSk1YzdWYl4spmuvJ0G5XNDKu5FEV3zTkRQ5ecWT?= =?us-ascii?Q?QP/7KVTiIrdXbSfQrBQz2RCd37AV2/rNWc4z4jH+0JIKthIU/cYjLq5Gaq6c?= =?us-ascii?Q?kFihydzI1cGNVZMt9dwsI72YgZ4iOoYnTGG3B6GrLi3Of0Tnd5Y5nNbV+xF6?= =?us-ascii?Q?9u3qxuUuxUw6d0oELjsjyVz55Enhj2F4TcIo4NG1HGPI9g3W5iY3FfkJSfZc?= =?us-ascii?Q?xkU47p2hr7q1TPW1tXK2pM2V5TETmEXd5ePA6lhb?= X-OriginatorOrg: suse.com X-MS-Exchange-CrossTenant-Network-Message-Id: ec4a56f8-7eaf-4fc4-a437-08db782de2f6 X-MS-Exchange-CrossTenant-AuthSource: DB7PR04MB5980.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Jun 2023 23:17:48.1850 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: f7a17af6-1c5c-4a36-aa8b-f5be247aa4ba X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: VAUoh2MMGpKWvF+3Da6b+ji48/unqs4KONTA1UZ39K10uW5i1bl4zAzDVt6JpLKT2fUUBHNJ/AF8884+FGIlWQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAXPR04MB8111 X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 3.1 on 10.11.54.9 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: apparmor@cboltz.de Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.2 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: suse.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1687994288600100001 Content-Type: text/plain; charset="utf-8" Apparmor profiles in /etc/apparmor.d/ are config files that can be replaced on package upgrade, which introduces the potential to overwrite any local changes. Apparmor supports local profile customizations via /etc/apparmor.d/local/ [1]. In addition, apparmor 3.x supports local customizations of profile abstractions via an abstractions/.d drop directory. In order to support local customizations, the main profiles and abstractions must 'include if exists' the local changes. This directive is only stable on apparmor 3.x, so support for local profile customizations is limited to apparmor >=3D 3.0.0. Signed-off-by: Jim Fehlig --- src/security/apparmor/libvirt-lxc | 3 +++ src/security/apparmor/libvirt-qemu | 3 +++ src/security/apparmor/usr.sbin.libvirtd.in | 5 ++++- src/security/apparmor/usr.sbin.virtqemud.in | 3 +++ src/security/apparmor/usr.sbin.virtxend.in | 3 +++ 5 files changed, 16 insertions(+), 1 deletion(-) diff --git a/src/security/apparmor/libvirt-lxc b/src/security/apparmor/libv= irt-lxc index 0c8b812743..734dd95c6e 100644 --- a/src/security/apparmor/libvirt-lxc +++ b/src/security/apparmor/libvirt-lxc @@ -116,3 +116,6 @@ deny /sys/fs/cgrou[^p]*{,/**} wklx, deny /sys/fs/cgroup?*{,/**} wklx, deny /sys/fs?*{,/**} wklx, + + # Site-specific additions and overrides. + include if exists diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/lib= virt-qemu index 44056b5f14..bed7c4ad76 100644 --- a/src/security/apparmor/libvirt-qemu +++ b/src/security/apparmor/libvirt-qemu @@ -269,3 +269,6 @@ # required for QEMU accessing UEFI nvram variables owner /var/lib/libvirt/qemu/nvram/*_VARS.fd rwk, owner /var/lib/libvirt/qemu/nvram/*_VARS.ms.fd rwk, + + # Site-specific additions and overrides. + include if exists diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/appa= rmor/usr.sbin.libvirtd.in index edb8dd8e26..20041fcf67 100644 --- a/src/security/apparmor/usr.sbin.libvirtd.in +++ b/src/security/apparmor/usr.sbin.libvirtd.in @@ -139,4 +139,7 @@ profile libvirtd @sbindir@/libvirtd flags=3D(attach_dis= connected) { =20 /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix, } -} + + # Site-specific additions and overrides. See local/README for details. + include if exists + } diff --git a/src/security/apparmor/usr.sbin.virtqemud.in b/src/security/app= armor/usr.sbin.virtqemud.in index f269c60809..3ebdbf2a8f 100644 --- a/src/security/apparmor/usr.sbin.virtqemud.in +++ b/src/security/apparmor/usr.sbin.virtqemud.in @@ -132,4 +132,7 @@ profile virtqemud @sbindir@/virtqemud flags=3D(attach_d= isconnected) { =20 /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix, } + + # Site-specific additions and overrides. See local/README for details. + include if exists } diff --git a/src/security/apparmor/usr.sbin.virtxend.in b/src/security/appa= rmor/usr.sbin.virtxend.in index 72e0d801e5..719766a0c1 100644 --- a/src/security/apparmor/usr.sbin.virtxend.in +++ b/src/security/apparmor/usr.sbin.virtxend.in @@ -52,4 +52,7 @@ profile virtxend @sbindir@/virtxend flags=3D(attach_disco= nnected) { @libexecdir@/libvirt_iohelper ix, /etc/libvirt/hooks/** rmix, /etc/xen/scripts/** rmix, + + # Site-specific additions and overrides. See local/README for details. + include if exists } --=20 2.41.0