From nobody Tue May 21 20:50:59 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 170.10.133.124 as permitted sender) client-ip=170.10.133.124;
 envelope-from=libvir-list-bounces@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1688044518; cv=none;
	d=zohomail.com; s=zohoarc;
	b=E7qFQdeVtodCUq21u1r8XBLLxWaMZl4Vc8VWms18RdaHeFwGij7283ppnbgEJa5gKMNSZRb/LQqsxQcYbbyMH3d9zgr7dpmk0OFFDSQ+vCFWhg4lteAL1686TM8mm04LG8lbPAe3/A0P2iOrBQjXxak34kC8SXV/FZxrdMthMIs=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1688044518;
 h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To;
	bh=sQaT0EinxZLBVo8tireWD6ruosMxypKFgG1bthQOlWU=;
	b=cbb1Z/mnn0br06lNF5hYhKl/kH8W6VDbAH4sTaU8+GGusMh84nfxWzzzieFh4ytKGSixIETXTlY0rDM7k43C7B5HZkm83l4B8QZqy4lPJpqprWI55WmIkMcSHukXtIpnV4gOSaOl0Neh0MMhYnHfhs/JlSQiEdyxXfPGJJTinCs=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass header.from=<abologna@redhat.com> (p=none dis=none)
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com
	with SMTPS id 1688044518256360.96866702427985;
 Thu, 29 Jun 2023 06:15:18 -0700 (PDT)
Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com
 [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-32-ddhoLfcBMz25M_9StBjOrw-1; Thu, 29 Jun 2023 09:15:12 -0400
Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.rdu2.redhat.com
 [10.11.54.8])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 2CCDF3C10152;
	Thu, 29 Jun 2023 13:15:02 +0000 (UTC)
Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com
 (unknown [10.30.29.100])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 16516C478C8;
	Thu, 29 Jun 2023 13:15:02 +0000 (UTC)
Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com
 (localhost [IPv6:::1])
	by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with
 ESMTP id E06A81946A7E;
	Thu, 29 Jun 2023 13:15:01 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com
 [10.11.54.2])
 by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with
 ESMTP id 9E8A51946A7A for <libvir-list@listman.corp.redhat.com>;
 Thu, 29 Jun 2023 13:15:00 +0000 (UTC)
Received: by smtp.corp.redhat.com (Postfix)
 id 8F84240C6CCD; Thu, 29 Jun 2023 13:15:00 +0000 (UTC)
Received: from harajuku.usersys.redhat.com (unknown [10.45.226.29])
 by smtp.corp.redhat.com (Postfix) with ESMTPS id 2361840C6CD1
 for <libvir-list@redhat.com>; Thu, 29 Jun 2023 13:14:59 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1688044517;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=sQaT0EinxZLBVo8tireWD6ruosMxypKFgG1bthQOlWU=;
	b=D/8uwMfUhRS/+4b+xt6WiCi5rGUjGrHbtFqgtSgdYKW73JspeFpx0Vrvv6Jfa8LZ7iQJ1C
	hvw07iFOBs9Obd/loVshT/yi29xmiGHFMUakKFOs0FEMErKeZNOJzvJLwnPEXvL2XSKYPb
	UxuQj0HrK37Awsq1vbsMkBsUUy25KjY=
X-MC-Unique: ddhoLfcBMz25M_9StBjOrw-1
X-Original-To: libvir-list@listman.corp.redhat.com
From: Andrea Bolognani <abologna@redhat.com>
To: libvir-list@redhat.com
Subject: [libvirt PATCH 1/8] meson: Detect AppArmor 3.x
Date: Thu, 29 Jun 2023 15:14:50 +0200
Message-ID: <20230629131457.248503-2-abologna@redhat.com>
In-Reply-To: <20230629131457.248503-1-abologna@redhat.com>
References: <20230629131457.248503-1-abologna@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.2
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <libvir-list.redhat.com>
List-Unsubscribe: <https://listman.redhat.com/mailman/options/libvir-list>,
 <mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <http://listman.redhat.com/archives/libvir-list/>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://listman.redhat.com/mailman/listinfo/libvir-list>,
 <mailto:libvir-list-request@redhat.com?subject=subscribe>
Errors-To: libvir-list-bounces@redhat.com
Sender: "libvir-list" <libvir-list-bounces@redhat.com>
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.8
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1688044520387100005
Content-Type: text/plain; charset="utf-8"; x-default="true"

We will soon need to base some decisions on whether AppArmor 3.x
or 2.x is present on the system.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Jim Fehlig <jfehlig@suse.com>
---
 meson.build | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/meson.build b/meson.build
index aa391e7178..060eafc344 100644
--- a/meson.build
+++ b/meson.build
@@ -879,6 +879,9 @@ endif
 apparmor_dep =3D dependency('libapparmor', required: get_option('apparmor'=
))
 if apparmor_dep.found()
   conf.set('WITH_APPARMOR', 1)
+  if apparmor_dep.version().version_compare('>=3D3.0.0')
+    conf.set('WITH_APPARMOR_3', 1)
+  endif
   conf.set_quoted('APPARMOR_DIR', sysconfdir / 'apparmor.d')
   conf.set_quoted('APPARMOR_PROFILES_PATH', '/sys/kernel/security/apparmor=
/profiles')
 endif
--=20
2.41.0
From nobody Tue May 21 20:50:59 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 170.10.129.124 as permitted sender) client-ip=170.10.129.124;
 envelope-from=libvir-list-bounces@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1688044511; cv=none;
	d=zohomail.com; s=zohoarc;
	b=FNmSofkIY5UVZW/omKySGjzoVSVwdmrtIwcDeOGi17hK6j1b66Aijgszxi8Etj9b49LFJIpXQmfUngjQUuApLHMhKKEFyICLLjCThn/aph6eExNG02TAR1/DDOC0ydddY6kY7/Xn5o8Wd+rYyQNRLI2QitGx/OJHK10eHhn0C7o=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1688044511;
 h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To;
	bh=RakpVXopM3l9suEjDBY3KTbw4nCcXfatO17hY06OimY=;
	b=mTpsRWNApd3MiTo/YrK06ClB8Ro9NPrFi5U+sm9e2D8fl/QrWLOY7ihCyB0fRLX1VDQbMJhku2dLz93kBqlZBuZ/o63Z9/gKHL6kI2PRr94MGjiBBCaZJDm0G2VFkIWraht8yOqUEE+EwNOXIYZ427w6Ssb3d5TbnH7j6ECUMjg=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass header.from=<abologna@redhat.com> (p=none dis=none)
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com
	with SMTPS id 1688044511328211.65548695429027;
 Thu, 29 Jun 2023 06:15:11 -0700 (PDT)
Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com
 [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-567-WQAB0b5KM4SBmwHiWdWagw-1; Thu, 29 Jun 2023 09:15:06 -0400
Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.rdu2.redhat.com
 [10.11.54.9])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 06CCB830DC3;
	Thu, 29 Jun 2023 13:15:02 +0000 (UTC)
Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com
 (unknown [10.30.29.100])
	by smtp.corp.redhat.com (Postfix) with ESMTP id E2635492B02;
	Thu, 29 Jun 2023 13:15:01 +0000 (UTC)
Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com
 (localhost [IPv6:::1])
	by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with
 ESMTP id C2E481946A41;
	Thu, 29 Jun 2023 13:15:01 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com
 [10.11.54.2])
 by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with
 ESMTP id 6B17D19465B6 for <libvir-list@listman.corp.redhat.com>;
 Thu, 29 Jun 2023 13:15:01 +0000 (UTC)
Received: by smtp.corp.redhat.com (Postfix)
 id 4DDCC40C6CD1; Thu, 29 Jun 2023 13:15:01 +0000 (UTC)
Received: from harajuku.usersys.redhat.com (unknown [10.45.226.29])
 by smtp.corp.redhat.com (Postfix) with ESMTPS id D3C1840C6CCD
 for <libvir-list@redhat.com>; Thu, 29 Jun 2023 13:15:00 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1688044510;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=RakpVXopM3l9suEjDBY3KTbw4nCcXfatO17hY06OimY=;
	b=AQgeRw1VQoNL4eRAn7F0DU0zvs/wKOhPQA7EyUvEpcVAO7zIvk1MpgdYFMzNaRpjiautWZ
	HqlhinPEUkBHcYhOWcLxvyrrlTjI4l9WiRR+CtP3f2Tc3+nDRJ79oT5FRaAqGUJwVPYfph
	ZCct7MVEmzA1dSZIPdGnEZCOW+/urLE=
X-MC-Unique: WQAB0b5KM4SBmwHiWdWagw-1
X-Original-To: libvir-list@listman.corp.redhat.com
From: Andrea Bolognani <abologna@redhat.com>
To: libvir-list@redhat.com
Subject: [libvirt PATCH 2/8] apparmor: Allow version-specific bits in profiles
Date: Thu, 29 Jun 2023 15:14:51 +0200
Message-ID: <20230629131457.248503-3-abologna@redhat.com>
In-Reply-To: <20230629131457.248503-1-abologna@redhat.com>
References: <20230629131457.248503-1-abologna@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.2
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <libvir-list.redhat.com>
List-Unsubscribe: <https://listman.redhat.com/mailman/options/libvir-list>,
 <mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <http://listman.redhat.com/archives/libvir-list/>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://listman.redhat.com/mailman/listinfo/libvir-list>,
 <mailto:libvir-list-request@redhat.com?subject=subscribe>
Errors-To: libvir-list-bounces@redhat.com
Sender: "libvir-list" <libvir-list-bounces@redhat.com>
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.9
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1688044512348100001
Content-Type: text/plain; charset="utf-8"; x-default="true"

Perform an additional preprocessing step before the existing
variable substitution. This is the same approach that we already
use to customize systemd unit files based on whether the service
supports TCP connections.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Jim Fehlig <jfehlig@suse.com>
---
 src/security/apparmor/meson.build | 34 ++++++++++++++++++++++++++++++-
 1 file changed, 33 insertions(+), 1 deletion(-)

diff --git a/src/security/apparmor/meson.build b/src/security/apparmor/meso=
n.build
index 58b4024b85..c4745acdb9 100644
--- a/src/security/apparmor/meson.build
+++ b/src/security/apparmor/meson.build
@@ -14,9 +14,41 @@ apparmor_gen_profiles_conf =3D configuration_data({
=20
 apparmor_dir =3D sysconfdir / 'apparmor.d'
=20
+# Our profiles use some features that only work well on AppArmor 3.x,
+# specifically the 'include if exists' directive. In order to keep
+# supporting AppArmor 2.x, the bits that are version-specific are
+# enclosed in special markers and we decide which ones to include
+# based on the AppArmor version detected on the host.
+#
+# TODO: drop the additional complexity once we no longer target
+#       distros that ship AppArmor 2.x (Debian 11, Ubuntu 20.04)
+if conf.has('WITH_APPARMOR_3')
+  apparmor_gen_cmd =3D [
+    'sed',
+    '-e', '/[@]BEGIN_APPARMOR_3[@]/d',
+    '-e', '/[@]END_APPARMOR_3[@]/d',
+    '-e', '/[@]BEGIN_APPARMOR_2[@]/,/[@]END_APPARMOR_2[@]/d',
+    '@INPUT@'
+  ]
+else
+  apparmor_gen_cmd =3D [
+    'sed',
+    '-e', '/[@]BEGIN_APPARMOR_3[@]/,/[@]END_APPARMOR_3[@]/d',
+    '-e', '/[@]BEGIN_APPARMOR_2[@]/d',
+    '-e', '/[@]END_APPARMOR_2[@]/d',
+    '@INPUT@'
+  ]
+endif
+
 foreach name : apparmor_gen_profiles
-  configure_file(
+  tmp =3D configure_file(
     input: '@0@.in'.format(name),
+    output: '@0@.tmp'.format(name),
+    command: apparmor_gen_cmd,
+    capture: true,
+  )
+  configure_file(
+    input: tmp,
     output: name,
     configuration: apparmor_gen_profiles_conf,
     install: true,
--=20
2.41.0
From nobody Tue May 21 20:50:59 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 170.10.133.124 as permitted sender) client-ip=170.10.133.124;
 envelope-from=libvir-list-bounces@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1688044516; cv=none;
	d=zohomail.com; s=zohoarc;
	b=FzOCJQkQhR57K5sCErT9uYXn6Cu0SWzSrDwXpI1D5cb3t6UznuCfThnlQ9erWkI0R9Wj/wP2dBomA18JjeqM/pe0ik7dDx+9QMeWw66eZEk1/c6qOEHlzKj2B3kZea0C+uz7MJFNKBQC0mvPEd44ViEnkkT8bMDMG81ijDLqfK0=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1688044516;
 h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To;
	bh=giKsf7pwUYW6ORonDXx1v4JpF8lZzfrJ68CY5pq7mJ0=;
	b=d59v1vYyCEQVYiYIm3IHmkcnnx74O5QDorr8enHd8K8Tn/18hhSLH7b7kDMyBWpmqRxVKD3JnpGF0AyXkOARccC0a1r/PO/S6LDocClzqKZrXQk0AOZNsQlEspRCTQsVlGBFspHuOV8S0GSqdEQh97ggSDVQoJ9YG4O0W8R/sH0=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass header.from=<abologna@redhat.com> (p=none dis=none)
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com
	with SMTPS id 1688044516890547.4238668331845;
 Thu, 29 Jun 2023 06:15:16 -0700 (PDT)
Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com
 [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-138-3mo_rbPyOuS-wJBhT-MAzw-1; Thu, 29 Jun 2023 09:15:10 -0400
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com
 [10.11.54.2])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 3B7F81064BF2;
	Thu, 29 Jun 2023 13:15:03 +0000 (UTC)
Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com
 (unknown [10.30.29.100])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 295D840C6CD1;
	Thu, 29 Jun 2023 13:15:03 +0000 (UTC)
Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com
 (localhost [IPv6:::1])
	by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with
 ESMTP id 133E01946A41;
	Thu, 29 Jun 2023 13:15:03 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com
 [10.11.54.2])
 by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with
 ESMTP id 1D2501946A7C for <libvir-list@listman.corp.redhat.com>;
 Thu, 29 Jun 2023 13:15:02 +0000 (UTC)
Received: by smtp.corp.redhat.com (Postfix)
 id 0B289402491A; Thu, 29 Jun 2023 13:15:02 +0000 (UTC)
Received: from harajuku.usersys.redhat.com (unknown [10.45.226.29])
 by smtp.corp.redhat.com (Postfix) with ESMTPS id 9315F40C6CCD
 for <libvir-list@redhat.com>; Thu, 29 Jun 2023 13:15:01 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1688044516;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=giKsf7pwUYW6ORonDXx1v4JpF8lZzfrJ68CY5pq7mJ0=;
	b=OVqhSQ22V54V4v1C/rYMvDeNoUHLZhokVrIijQVUulqOpEAtCh4NBzOednuIeawtaybT/S
	eQHfPFdnYU4dV8e7Rz5ralAU1B7GYd129aiKmv8RWYlbNWkYM/ka1m6UuRTfq5Nd1Rwdr9
	6zeeKye+MGo3QN9iBZWZzXTzshA5/Fo=
X-MC-Unique: 3mo_rbPyOuS-wJBhT-MAzw-1
X-Original-To: libvir-list@listman.corp.redhat.com
From: Andrea Bolognani <abologna@redhat.com>
To: libvir-list@redhat.com
Subject: [libvirt PATCH 3/8] apparmor: Allow version-specific bits in
 abstractions too
Date: Thu, 29 Jun 2023 15:14:52 +0200
Message-ID: <20230629131457.248503-4-abologna@redhat.com>
In-Reply-To: <20230629131457.248503-1-abologna@redhat.com>
References: <20230629131457.248503-1-abologna@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.2
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <libvir-list.redhat.com>
List-Unsubscribe: <https://listman.redhat.com/mailman/options/libvir-list>,
 <mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <http://listman.redhat.com/archives/libvir-list/>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://listman.redhat.com/mailman/listinfo/libvir-list>,
 <mailto:libvir-list-request@redhat.com?subject=subscribe>
Errors-To: libvir-list-bounces@redhat.com
Sender: "libvir-list" <libvir-list-bounces@redhat.com>
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.2
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1688044518365100002
Content-Type: text/plain; charset="utf-8"; x-default="true"

Compared to profiles, we only need a single preprocessing step
here, as there is no variable substitution happening.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Jim Fehlig <jfehlig@suse.com>
---
 .../apparmor/{libvirt-lxc =3D> libvirt-lxc.in}  |  0
 .../{libvirt-qemu =3D> libvirt-qemu.in}         |  0
 src/security/apparmor/meson.build             | 19 +++++++++++++++----
 3 files changed, 15 insertions(+), 4 deletions(-)
 rename src/security/apparmor/{libvirt-lxc =3D> libvirt-lxc.in} (100%)
 rename src/security/apparmor/{libvirt-qemu =3D> libvirt-qemu.in} (100%)

diff --git a/src/security/apparmor/libvirt-lxc b/src/security/apparmor/libv=
irt-lxc.in
similarity index 100%
rename from src/security/apparmor/libvirt-lxc
rename to src/security/apparmor/libvirt-lxc.in
diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/lib=
virt-qemu.in
similarity index 100%
rename from src/security/apparmor/libvirt-qemu
rename to src/security/apparmor/libvirt-qemu.in
diff --git a/src/security/apparmor/meson.build b/src/security/apparmor/meso=
n.build
index c4745acdb9..8bc2405f88 100644
--- a/src/security/apparmor/meson.build
+++ b/src/security/apparmor/meson.build
@@ -5,6 +5,11 @@ apparmor_gen_profiles =3D [
   'usr.sbin.virtxend',
 ]
=20
+apparmor_gen_abstractions =3D [
+  'libvirt-qemu',
+  'libvirt-lxc',
+]
+
 apparmor_gen_profiles_conf =3D configuration_data({
   'sysconfdir': sysconfdir,
   'sbindir': sbindir,
@@ -56,10 +61,16 @@ foreach name : apparmor_gen_profiles
   )
 endforeach
=20
-install_data(
-  [ 'libvirt-qemu', 'libvirt-lxc' ],
-  install_dir: apparmor_dir / 'abstractions',
-)
+foreach name : apparmor_gen_abstractions
+  configure_file(
+    input: '@0@.in'.format(name),
+    output: name,
+    command: apparmor_gen_cmd,
+    capture: true,
+    install: true,
+    install_dir: apparmor_dir / 'abstractions',
+  )
+endforeach
=20
 install_data(
   [ 'TEMPLATE.qemu', 'TEMPLATE.lxc' ],
--=20
2.41.0
From nobody Tue May 21 20:50:59 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 170.10.129.124 as permitted sender) client-ip=170.10.129.124;
 envelope-from=libvir-list-bounces@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1688044517; cv=none;
	d=zohomail.com; s=zohoarc;
	b=fgGWQ+6T6SXDJIi9M9dj5p7RTA/zJrtfCSpChrSVL+V1yUMoQntbIN5QCndDsBhEt6gM6GT8Jm8wGyQGaEXu2FNSvcN4p7ouXgIWTxs+C/tunXvaErPkLAEPMBGiq0/CWuvbIshs+6LWcXrld+xGgQiqXwp+KgmSgFVonA3bZTY=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1688044517;
 h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To;
	bh=y9ycQwO/iedvUKuXzY/yQmXZN+cxZYSqCDnEVDS4Rrk=;
	b=C7M/A5GLVsZA7lrgh74/Q7bWL58Kn85HL3henJUm3Ru1UxxUCniaMMZRgNNDr30u/fIgLq50+8ELO01ujGZ3Qnhjjfjeh8klYQD9k9SqLLB2J6CtYY5JPXhh50aSzu4DMQ3wx4U8/0hK/oZmuGfwp/sMDiWVj4BnNkzoUHrp8uk=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass header.from=<abologna@redhat.com> (p=none dis=none)
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com
	with SMTPS id 1688044517144866.3603382227972;
 Thu, 29 Jun 2023 06:15:17 -0700 (PDT)
Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com
 [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-311-Vrh3mI9jNFC64FY2_3DO8w-1; Thu, 29 Jun 2023 09:15:13 -0400
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com
 [10.11.54.5])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 7832B83D31A;
	Thu, 29 Jun 2023 13:15:04 +0000 (UTC)
Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com
 (unknown [10.30.29.100])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 65AF4F5CE6;
	Thu, 29 Jun 2023 13:15:04 +0000 (UTC)
Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com
 (localhost [IPv6:::1])
	by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with
 ESMTP id 4C0DB1946A46;
	Thu, 29 Jun 2023 13:15:04 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com
 [10.11.54.2])
 by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with
 ESMTP id C8E9019465B6 for <libvir-list@listman.corp.redhat.com>;
 Thu, 29 Jun 2023 13:15:02 +0000 (UTC)
Received: by smtp.corp.redhat.com (Postfix)
 id BC83340C6CD1; Thu, 29 Jun 2023 13:15:02 +0000 (UTC)
Received: from harajuku.usersys.redhat.com (unknown [10.45.226.29])
 by smtp.corp.redhat.com (Postfix) with ESMTPS id 505E940C6CCD
 for <libvir-list@redhat.com>; Thu, 29 Jun 2023 13:15:02 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1688044516;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=y9ycQwO/iedvUKuXzY/yQmXZN+cxZYSqCDnEVDS4Rrk=;
	b=Pqm+y6YSRosaIvXTnzmQh4fzbH789gKMXvaW0Gw/biz+AUO+q9K02BW9Gt5OXQm2dwHK5P
	BHtEpEX+aTOh2JWWhDkxx4USCziBj7DQB4vIIcaE9lQV0QaiC8uPe3I+zXfRexje62bOAF
	6ZKh3RUbSLFA4Dc2UMNdsedzxknrLkc=
X-MC-Unique: Vrh3mI9jNFC64FY2_3DO8w-1
X-Original-To: libvir-list@listman.corp.redhat.com
From: Andrea Bolognani <abologna@redhat.com>
To: libvir-list@redhat.com
Subject: [libvirt PATCH 4/8] apparmor: Only support passt on 3.x
Date: Thu, 29 Jun 2023 15:14:53 +0200
Message-ID: <20230629131457.248503-5-abologna@redhat.com>
In-Reply-To: <20230629131457.248503-1-abologna@redhat.com>
References: <20230629131457.248503-1-abologna@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.2
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <libvir-list.redhat.com>
List-Unsubscribe: <https://listman.redhat.com/mailman/options/libvir-list>,
 <mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <http://listman.redhat.com/archives/libvir-list/>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://listman.redhat.com/mailman/listinfo/libvir-list>,
 <mailto:libvir-list-request@redhat.com?subject=subscribe>
Errors-To: libvir-list-bounces@redhat.com
Sender: "libvir-list" <libvir-list-bounces@redhat.com>
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.5
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1688044518354100001
Content-Type: text/plain; charset="utf-8"; x-default="true"

The subprofile can only work by including the abstraction shipped
in the passt package, which we can't assume is present, and
'include if exists' doesn't work well on 2.x.

No distro that's stuck on AppArmor 2.x is likely to be shipping
passt anyway.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Jim Fehlig <jfehlig@suse.com>
---
 src/security/apparmor/libvirt-qemu.in | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/security/apparmor/libvirt-qemu.in b/src/security/apparmor/=
libvirt-qemu.in
index 44056b5f14..1548cf23bf 100644
--- a/src/security/apparmor/libvirt-qemu.in
+++ b/src/security/apparmor/libvirt-qemu.in
@@ -185,6 +185,7 @@
   /usr/{lib,lib64}/libswtpm_libtpms.so mr,
   /usr/lib/@{multiarch}/libswtpm_libtpms.so mr,
=20
+@BEGIN_APPARMOR_3@
   # support for passt network back-end
   /usr/bin/passt Cx -> passt,
=20
@@ -199,6 +200,7 @@
=20
     include if exists <abstractions/passt>
   }
+@END_APPARMOR_3@
=20
   # for save and resume
   /{usr/,}bin/dash rmix,
--=20
2.41.0
From nobody Tue May 21 20:50:59 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 170.10.129.124 as permitted sender) client-ip=170.10.129.124;
 envelope-from=libvir-list-bounces@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1688044571; cv=none;
	d=zohomail.com; s=zohoarc;
	b=YHmea7ZcY7HWNILChIKQmd38gb39xMhbYhC5L40wY9lMml2x5YeunSJT3wLFSHPZJLuo+YT/GqeaZy0tsorBq3OeOzfDbp4kxCNoXa9e9xx4N+pzcuEhltLUMcC8fMcceQO38FeAnZS+L1Nfy7GYJITUUfgo8N6e3od018YQ87I=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1688044571;
 h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To;
	bh=Atp9I9bcsWvcIdTdVX7H0qY9bDZzoZytDk+7FzKCeUI=;
	b=ah0JDF9Keazu7HGxEmDLgNje4FRmHG5nOpnB7AT6VrwFfhMz6HzHDfxzysWaFOh9pSCt1zbs9GqysVEgtNh5aNmd+ncvjv4BegoxDG5p4SfEZmzdA0uJwvaxmCwVUAGX2NJ0jdmDJSEf4nWoE59rhMAOR4DulvLTho35zBFYC7I=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass header.from=<abologna@redhat.com> (p=none dis=none)
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com
	with SMTPS id 1688044571584408.8889207500141;
 Thu, 29 Jun 2023 06:16:11 -0700 (PDT)
Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com
 [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-391-VEkFw5A1NfWjsp0sWZx5WQ-1; Thu, 29 Jun 2023 09:15:16 -0400
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com
 [10.11.54.5])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id C2C623C1015B;
	Thu, 29 Jun 2023 13:15:04 +0000 (UTC)
Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com
 (unknown [10.30.29.100])
	by smtp.corp.redhat.com (Postfix) with ESMTP id B0DACF5CE6;
	Thu, 29 Jun 2023 13:15:04 +0000 (UTC)
Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com
 (localhost [IPv6:::1])
	by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with
 ESMTP id 82CFA19452C2;
	Thu, 29 Jun 2023 13:15:04 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com
 [10.11.54.2])
 by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with
 ESMTP id 87AD41946A41 for <libvir-list@listman.corp.redhat.com>;
 Thu, 29 Jun 2023 13:15:03 +0000 (UTC)
Received: by smtp.corp.redhat.com (Postfix)
 id 783D240C6F5A; Thu, 29 Jun 2023 13:15:03 +0000 (UTC)
Received: from harajuku.usersys.redhat.com (unknown [10.45.226.29])
 by smtp.corp.redhat.com (Postfix) with ESMTPS id 0C32F40C6CCD
 for <libvir-list@redhat.com>; Thu, 29 Jun 2023 13:15:02 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1688044570;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=Atp9I9bcsWvcIdTdVX7H0qY9bDZzoZytDk+7FzKCeUI=;
	b=DNNkYB8MRdTNDxDq7QeVNr02ngG4Jj20k2GG3E5qD8TyxDjqPd+xWOcphDnevEjUsbSS79
	Wj9+QVTn0BY2tq3EO/b7TwCClrwS/tx87RkNPQJopFQYhrHx6U304CAkhvVUcUWz8qcC3G
	io/iF1Z3VGWoCEnezgYwafTtbYcVduo=
X-MC-Unique: VEkFw5A1NfWjsp0sWZx5WQ-1
X-Original-To: libvir-list@listman.corp.redhat.com
From: Andrea Bolognani <abologna@redhat.com>
To: libvir-list@redhat.com
Subject: [libvirt PATCH 5/8] apparmor: Make abstractions extensible
Date: Thu, 29 Jun 2023 15:14:54 +0200
Message-ID: <20230629131457.248503-6-abologna@redhat.com>
In-Reply-To: <20230629131457.248503-1-abologna@redhat.com>
References: <20230629131457.248503-1-abologna@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.2
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <libvir-list.redhat.com>
List-Unsubscribe: <https://listman.redhat.com/mailman/options/libvir-list>,
 <mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <http://listman.redhat.com/archives/libvir-list/>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://listman.redhat.com/mailman/listinfo/libvir-list>,
 <mailto:libvir-list-request@redhat.com?subject=subscribe>
Errors-To: libvir-list-bounces@redhat.com
Sender: "libvir-list" <libvir-list-bounces@redhat.com>
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.5
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1688044572433100001
Content-Type: text/plain; charset="utf-8"; x-default="true"

Implement the standard AppArmor 3.x abstraction extension
approach.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Jim Fehlig <jfehlig@suse.com>
---
 src/security/apparmor/libvirt-lxc.in  | 4 ++++
 src/security/apparmor/libvirt-qemu.in | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/src/security/apparmor/libvirt-lxc.in b/src/security/apparmor/l=
ibvirt-lxc.in
index 0c8b812743..ffe4d8f21f 100644
--- a/src/security/apparmor/libvirt-lxc.in
+++ b/src/security/apparmor/libvirt-lxc.in
@@ -116,3 +116,7 @@
   deny /sys/fs/cgrou[^p]*{,/**} wklx,
   deny /sys/fs/cgroup?*{,/**} wklx,
   deny /sys/fs?*{,/**} wklx,
+
+@BEGIN_APPARMOR_3@
+  include if exists <abstractions/libvirt-lxc.d>
+@END_APPARMOR_3@
diff --git a/src/security/apparmor/libvirt-qemu.in b/src/security/apparmor/=
libvirt-qemu.in
index 1548cf23bf..53f45c3a28 100644
--- a/src/security/apparmor/libvirt-qemu.in
+++ b/src/security/apparmor/libvirt-qemu.in
@@ -271,3 +271,7 @@
   # required for QEMU accessing UEFI nvram variables
   owner /var/lib/libvirt/qemu/nvram/*_VARS.fd rwk,
   owner /var/lib/libvirt/qemu/nvram/*_VARS.ms.fd rwk,
+
+@BEGIN_APPARMOR_3@
+  include if exists <abstractions/libvirt-qemu.d>
+@END_APPARMOR_3@
--=20
2.41.0
From nobody Tue May 21 20:50:59 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 170.10.133.124 as permitted sender) client-ip=170.10.133.124;
 envelope-from=libvir-list-bounces@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1688044522; cv=none;
	d=zohomail.com; s=zohoarc;
	b=Oy2DCL5H6++efvyrEhdHgJEgh0vG9QYa9Zbg8DAV533gqPafuO+fUONh/bU5HjMJAsQ9QPAYAO9J/pFmL+KM3i6+hU+qUySPhxMbW5ZXgCtRzzs0sGoPE11jVEoelF/iGnk9HQNnYRLvUlRYsE2I3GstEkkrfBfdDmk9Z4WP5kI=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1688044522;
 h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To;
	bh=rONqoTKlzlhDvfszB9kk7ARN7y7m3Bf2L0eKxLYgIm0=;
	b=gTWWEFPX++IVoLI0E4Oj/GRZyBhPmdLNOVWlxMv/B+mHONMrHXquEOtdo4e68L3QvGEOsXmPB+PtvG0SnzWWouzpOmHDS4YZ7M2exGPURIpjMErM6j7TOOPGJM/cBqFZkrq0Z4G9efnFFaD2EFsksTJpwATrMWpUJp8MghMXciE=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass header.from=<abologna@redhat.com> (p=none dis=none)
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com
	with SMTPS id 1688044522468555.2706310629258;
 Thu, 29 Jun 2023 06:15:22 -0700 (PDT)
Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com
 [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-260-lKNENq92N-qGlLIgvWNJjw-1; Thu, 29 Jun 2023 09:15:17 -0400
Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.rdu2.redhat.com
 [10.11.54.9])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 51665894EDC;
	Thu, 29 Jun 2023 13:15:06 +0000 (UTC)
Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com
 (unknown [10.30.29.100])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 3C0B2492B02;
	Thu, 29 Jun 2023 13:15:06 +0000 (UTC)
Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com
 (localhost [IPv6:::1])
	by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with
 ESMTP id 31F551946A41;
	Thu, 29 Jun 2023 13:15:06 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com
 [10.11.54.2])
 by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with
 ESMTP id 48DFC19465B6 for <libvir-list@listman.corp.redhat.com>;
 Thu, 29 Jun 2023 13:15:04 +0000 (UTC)
Received: by smtp.corp.redhat.com (Postfix)
 id 37F3240C6CCD; Thu, 29 Jun 2023 13:15:04 +0000 (UTC)
Received: from harajuku.usersys.redhat.com (unknown [10.45.226.29])
 by smtp.corp.redhat.com (Postfix) with ESMTPS id BD3644087C6A
 for <libvir-list@redhat.com>; Thu, 29 Jun 2023 13:15:03 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1688044521;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=rONqoTKlzlhDvfszB9kk7ARN7y7m3Bf2L0eKxLYgIm0=;
	b=e8+zZS4XSfKXeH242FEsVNlBnfeMRBpaC6qkBkozkOOT1RTz4pclByMsLxXbX5R7ji6BTT
	/i9P+Pz/DlEeQzwyWN9Ha8zqfqvIDcgEfOXTNPT/EDT2IoD8reRHIv+XEI18SfN70D29Qq
	tBsYlUwcX3Wtbp0KNlABHPjyDHTdgmk=
X-MC-Unique: lKNENq92N-qGlLIgvWNJjw-1
X-Original-To: libvir-list@listman.corp.redhat.com
From: Andrea Bolognani <abologna@redhat.com>
To: libvir-list@redhat.com
Subject: [libvirt PATCH 6/8] apparmor: Improve virt-aa-helper include
Date: Thu, 29 Jun 2023 15:14:55 +0200
Message-ID: <20230629131457.248503-7-abologna@redhat.com>
In-Reply-To: <20230629131457.248503-1-abologna@redhat.com>
References: <20230629131457.248503-1-abologna@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.2
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <libvir-list.redhat.com>
List-Unsubscribe: <https://listman.redhat.com/mailman/options/libvir-list>,
 <mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <http://listman.redhat.com/archives/libvir-list/>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://listman.redhat.com/mailman/listinfo/libvir-list>,
 <mailto:libvir-list-request@redhat.com?subject=subscribe>
Errors-To: libvir-list-bounces@redhat.com
Sender: "libvir-list" <libvir-list-bounces@redhat.com>
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.9
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1688044524406100001
Content-Type: text/plain; charset="utf-8"; x-default="true"

For AppArmor 3.x we can use 'include if exists', which frees us
from having to create a dummy override. For AppArmor 2.x we keep
things as they are to avoid introducing regressions.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Jim Fehlig <jfehlig@suse.com>
---
 src/security/apparmor/meson.build                 | 15 ++++++++++-----
 .../apparmor/usr.lib.libvirt.virt-aa-helper.in    |  5 +++++
 2 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/src/security/apparmor/meson.build b/src/security/apparmor/meso=
n.build
index 8bc2405f88..b9257c816d 100644
--- a/src/security/apparmor/meson.build
+++ b/src/security/apparmor/meson.build
@@ -77,8 +77,13 @@ install_data(
   install_dir: apparmor_dir / 'libvirt',
 )
=20
-install_data(
-  'usr.lib.libvirt.virt-aa-helper.local',
-  install_dir: apparmor_dir / 'local',
-  rename: 'usr.lib.libvirt.virt-aa-helper',
-)
+if not conf.has('WITH_APPARMOR_3')
+  # We only install the empty local override for AppArmor 2.x. For
+  # AppArmor 3.x, upstream's preference is to avoid creating these
+  # files in order to limit the amount of filesystem clutter.
+  install_data(
+    'usr.lib.libvirt.virt-aa-helper.local',
+    install_dir: apparmor_dir / 'local',
+    rename: 'usr.lib.libvirt.virt-aa-helper',
+  )
+endif
diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in b/src/=
security/apparmor/usr.lib.libvirt.virt-aa-helper.in
index ff1d46bebe..26ee20a17d 100644
--- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
+++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
@@ -71,5 +71,10 @@ profile virt-aa-helper @libexecdir@/virt-aa-helper {
   /**.[iI][sS][oO] r,
   /**/disk{,.*} r,
=20
+@BEGIN_APPARMOR_3@
+  include if exists <local/usr.lib.libvirt.virt-aa-helper>
+@END_APPARMOR_3@
+@BEGIN_APPARMOR_2@
   #include <local/usr.lib.libvirt.virt-aa-helper>
+@END_APPARMOR_2@
 }
--=20
2.41.0
From nobody Tue May 21 20:50:59 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 170.10.133.124 as permitted sender) client-ip=170.10.133.124;
 envelope-from=libvir-list-bounces@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1688044574; cv=none;
	d=zohomail.com; s=zohoarc;
	b=VpAdQMcDqPX5urOUv4m4u2qA7A3GNWk2fcanB2FqM98whvnWd0lyMIPWARRvIBI2Yo564iJD/wszvcJ6ivNmS7PTOxJZath1IGCqqrMSsMZzoJkEoFYI22iWVeA566R/MKiNozpoFfL976xdkKaaQK/bG/d/4dx0J5XfP34GQJc=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1688044574;
 h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To;
	bh=CvFxZY8M0sf30KYdNEaIhYaQryA2CNeHjiKbIKbdkoQ=;
	b=jHhmSmnEPARHqgtx78WwGLbGX1svHTspxRQ9JmpeQFv1JW9P8nyKGvbe9xkmvX0RNWpYeLDhq992qU45DwveKu9jl9cEuDuaakRmaVKWpKT2Dea8vhJeVznrv9hMRXVxd+aLgLz8ea0frMNpHxQY/ZQeg7gfCCZf4XAyLC15xY8=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass header.from=<abologna@redhat.com> (p=none dis=none)
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com
	with SMTPS id 168804457442343.01557910543704;
 Thu, 29 Jun 2023 06:16:14 -0700 (PDT)
Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com
 [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-68-XKjDtdVSOSG8x3EdWR5D1A-1; Thu, 29 Jun 2023 09:15:17 -0400
Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.rdu2.redhat.com
 [10.11.54.9])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id B8CCB89E751;
	Thu, 29 Jun 2023 13:15:06 +0000 (UTC)
Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com
 (unknown [10.30.29.100])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 8B9A348FB05;
	Thu, 29 Jun 2023 13:15:06 +0000 (UTC)
Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com
 (localhost [IPv6:::1])
	by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with
 ESMTP id 6C0CC19452C3;
	Thu, 29 Jun 2023 13:15:06 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com
 [10.11.54.2])
 by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with
 ESMTP id 1345319465B6 for <libvir-list@listman.corp.redhat.com>;
 Thu, 29 Jun 2023 13:15:05 +0000 (UTC)
Received: by smtp.corp.redhat.com (Postfix)
 id E855E40C11FB; Thu, 29 Jun 2023 13:15:04 +0000 (UTC)
Received: from harajuku.usersys.redhat.com (unknown [10.45.226.29])
 by smtp.corp.redhat.com (Postfix) with ESMTPS id 7C4A040C6CCD
 for <libvir-list@redhat.com>; Thu, 29 Jun 2023 13:15:04 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1688044573;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=CvFxZY8M0sf30KYdNEaIhYaQryA2CNeHjiKbIKbdkoQ=;
	b=Pzjg1ybpx2ZiAq+QIoQorpFnfP/n+YmRxC6PnFt0JP3UmhlHOCF2VfcCaz7NN/cja3OM3A
	/Zy5Ma8Xqw3O1TrCwYo04uoXoydbIZsN+s6zlWsMThIiy3eXvqtLjCFquodD0yXTxYjbCT
	oCCa9FCpr1Dcucq+Q+7vyGFM+ncWAPs=
X-MC-Unique: XKjDtdVSOSG8x3EdWR5D1A-1
X-Original-To: libvir-list@listman.corp.redhat.com
From: Andrea Bolognani <abologna@redhat.com>
To: libvir-list@redhat.com
Subject: [libvirt PATCH 7/8] apparmor: Make all profiles extensible
Date: Thu, 29 Jun 2023 15:14:56 +0200
Message-ID: <20230629131457.248503-8-abologna@redhat.com>
In-Reply-To: <20230629131457.248503-1-abologna@redhat.com>
References: <20230629131457.248503-1-abologna@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.2
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <libvir-list.redhat.com>
List-Unsubscribe: <https://listman.redhat.com/mailman/options/libvir-list>,
 <mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <http://listman.redhat.com/archives/libvir-list/>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://listman.redhat.com/mailman/listinfo/libvir-list>,
 <mailto:libvir-list-request@redhat.com?subject=subscribe>
Errors-To: libvir-list-bounces@redhat.com
Sender: "libvir-list" <libvir-list-bounces@redhat.com>
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.9
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1688044576442100001
Content-Type: text/plain; charset="utf-8"; x-default="true"

Do for all other profiles what we already do for the
virt-aa-helper one. In this case we limit the feature to AppArmor
3.x, as it was never implemented for 2.x.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Jim Fehlig <jfehlig@suse.com>
---
 src/security/apparmor/usr.sbin.libvirtd.in  | 4 ++++
 src/security/apparmor/usr.sbin.virtqemud.in | 4 ++++
 src/security/apparmor/usr.sbin.virtxend.in  | 4 ++++
 3 files changed, 12 insertions(+)

diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/appa=
rmor/usr.sbin.libvirtd.in
index edb8dd8e26..1601d73d47 100644
--- a/src/security/apparmor/usr.sbin.libvirtd.in
+++ b/src/security/apparmor/usr.sbin.libvirtd.in
@@ -139,4 +139,8 @@ profile libvirtd @sbindir@/libvirtd flags=3D(attach_dis=
connected) {
=20
    /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix,
   }
+
+@BEGIN_APPARMOR_3@
+  include if exists <local/usr.sbin.libvirtd>
+@END_APPARMOR_3@
 }
diff --git a/src/security/apparmor/usr.sbin.virtqemud.in b/src/security/app=
armor/usr.sbin.virtqemud.in
index f269c60809..6b9c5d32d9 100644
--- a/src/security/apparmor/usr.sbin.virtqemud.in
+++ b/src/security/apparmor/usr.sbin.virtqemud.in
@@ -132,4 +132,8 @@ profile virtqemud @sbindir@/virtqemud flags=3D(attach_d=
isconnected) {
=20
    /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix,
   }
+
+@BEGIN_APPARMOR_3@
+  include if exists <local/usr.sbin.virtqemud>
+@END_APPARMOR_3@
 }
diff --git a/src/security/apparmor/usr.sbin.virtxend.in b/src/security/appa=
rmor/usr.sbin.virtxend.in
index 72e0d801e5..78a11305f5 100644
--- a/src/security/apparmor/usr.sbin.virtxend.in
+++ b/src/security/apparmor/usr.sbin.virtxend.in
@@ -52,4 +52,8 @@ profile virtxend @sbindir@/virtxend flags=3D(attach_disco=
nnected) {
   @libexecdir@/libvirt_iohelper ix,
   /etc/libvirt/hooks/** rmix,
   /etc/xen/scripts/** rmix,
+
+@BEGIN_APPARMOR_3@
+  include if exists <local/usr.sbin.virtxend>
+@END_APPARMOR_3@
 }
--=20
2.41.0
From nobody Tue May 21 20:50:59 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 170.10.129.124 as permitted sender) client-ip=170.10.129.124;
 envelope-from=libvir-list-bounces@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1688044525; cv=none;
	d=zohomail.com; s=zohoarc;
	b=EvkXiPHebyPLZE5B7JpYuIlvhttXr8ivtoYZZ7mscoqQozLGjJPggi5Gt6LardaPUYysqWehuKLTbtQ5sly4cPDRVQGtYhhKYyCl19s/kJhYTfykF+vXi9+C6Bh8IkUpYZsfIizlJkLBQp9f9wYM291pKQYsOyNc7csCjqw5Vm4=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1688044525;
 h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To;
	bh=21mvF1lbOkcd9+H81lXkEJcTZu2hozDioB+zuVq64dU=;
	b=LveDF2PJ0bEVY71+fd732VQxkinUbLrp3roVbkNL7ZilmuCmAdf6WPy38Y/ikku5UPWmReYYRRqmgcjR62/P8bpUEaqZPUwmL60PicuhTujm//zbB2XP9k6gJG4GhvgBD9MnPdG5SjsdE7tC7mXBctwpX3NFw+Gx5NRAS7YMVc8=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass header.from=<abologna@redhat.com> (p=none dis=none)
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com
	with SMTPS id 1688044524985148.54584887639373;
 Thu, 29 Jun 2023 06:15:24 -0700 (PDT)
Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com
 [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-187-U6UEDsK6Nw6c8kwEGXoCAQ-1; Thu, 29 Jun 2023 09:15:17 -0400
Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.rdu2.redhat.com
 [10.11.54.9])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id D54B11065234;
	Thu, 29 Jun 2023 13:15:07 +0000 (UTC)
Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com
 (unknown [10.30.29.100])
	by smtp.corp.redhat.com (Postfix) with ESMTP id C08EC492B02;
	Thu, 29 Jun 2023 13:15:07 +0000 (UTC)
Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com
 (localhost [IPv6:::1])
	by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with
 ESMTP id A69DF1946A41;
	Thu, 29 Jun 2023 13:15:07 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com
 [10.11.54.2])
 by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with
 ESMTP id DC25A1946A76 for <libvir-list@listman.corp.redhat.com>;
 Thu, 29 Jun 2023 13:15:05 +0000 (UTC)
Received: by smtp.corp.redhat.com (Postfix)
 id B068640C6CCD; Thu, 29 Jun 2023 13:15:05 +0000 (UTC)
Received: from harajuku.usersys.redhat.com (unknown [10.45.226.29])
 by smtp.corp.redhat.com (Postfix) with ESMTPS id 3B69540C6CDE
 for <libvir-list@redhat.com>; Thu, 29 Jun 2023 13:15:05 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1688044523;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=21mvF1lbOkcd9+H81lXkEJcTZu2hozDioB+zuVq64dU=;
	b=a5KbuTIyIIfymLEkGbZUJaQoneM4IsOF4+DMK0n09Hm3+SE4PTlu7NiNcFYAfY0xXyXV3V
	KBAQeP2HIitRsXB8UyF1w8308RmcLaxERk9f+6OvAfjOt1NhvlsJ8ynggbhIeMF+0GB5iu
	1xS9G28Gcwpx9N2NSe8EWk1Lc8RqAwo=
X-MC-Unique: U6UEDsK6Nw6c8kwEGXoCAQ-1
X-Original-To: libvir-list@listman.corp.redhat.com
From: Andrea Bolognani <abologna@redhat.com>
To: libvir-list@redhat.com
Subject: [libvirt PATCH 8/8] NEWS: Mention overrides for AppArmor profiles and
 abstractions
Date: Thu, 29 Jun 2023 15:14:57 +0200
Message-ID: <20230629131457.248503-9-abologna@redhat.com>
In-Reply-To: <20230629131457.248503-1-abologna@redhat.com>
References: <20230629131457.248503-1-abologna@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.2
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <libvir-list.redhat.com>
List-Unsubscribe: <https://listman.redhat.com/mailman/options/libvir-list>,
 <mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <http://listman.redhat.com/archives/libvir-list/>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://listman.redhat.com/mailman/listinfo/libvir-list>,
 <mailto:libvir-list-request@redhat.com?subject=subscribe>
Errors-To: libvir-list-bounces@redhat.com
Sender: "libvir-list" <libvir-list-bounces@redhat.com>
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.9
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1688044526426100003
Content-Type: text/plain; charset="utf-8"; x-default="true"

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Jim Fehlig <jfehlig@suse.com>
---
 NEWS.rst | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/NEWS.rst b/NEWS.rst
index 950b188a8b..92596d6088 100644
--- a/NEWS.rst
+++ b/NEWS.rst
@@ -33,6 +33,14 @@ v9.5.0 (unreleased)
     image on discard requests. Disabling cluster unrefing decreases fragme=
ntation
     of the image.
=20
+  * apparmor: All profiles and abstractions now support local overrides
+
+    This has long been the case for the ``virt-aa-helper`` profile, but has
+    now been extended to all other profiles and abstractions. The mechanism
+    used is the standard AppArmor 3.x one, where the contents of ``foo`` a=
nd
+    ``abstractions/foo`` can be overridden by creating ``local/foo`` and
+    ``abstractions/foo.d`` respectively.
+
 * **Bug fixes**
=20
=20
--=20
2.41.0