[PATCH v2 0/4] fix AppArmor policy restore for runtime rules

Georgia Garcia posted 4 patches 3 weeks, 2 days ago
.../usr.lib.libvirt.virt-aa-helper.in         |   5 +-
src/security/apparmor/usr.sbin.libvirtd.in    |   7 +-
src/security/security_apparmor.c              |  83 +++++-----
src/security/virt-aa-helper.c                 | 145 +++++++++---------
4 files changed, 120 insertions(+), 120 deletions(-)
[PATCH v2 0/4] fix AppArmor policy restore for runtime rules
Posted by Georgia Garcia 3 weeks, 2 days ago
Some rules are generated dynamically during boot and added to the
AppArmor policy. An example of that is macvtap devices that call the
AppArmorSetFDLabel hook to add a rule for the tap device path.

Since this information is dynamic, it is not available in the xml
config, therefore whenever a "Restore" hook is called, the entire
profile is regenerated by virt-aa-helper based only the information
from the VM definition, so the dynamic/runtime information is lost.

This patchset fixes that by storing these rules in a different file
called libvirt-uuid.runtime_files, which is included by
libvirt-uuid.files that already exists. It also includes other fixes
like memory leaks, adoption of the GLib API in the apparmor files and
a fix on the AppArmor policy that incorrectly applies apparmor policy
syntax.

Georgia Garcia (4):
  security_apparmor: fix memleaks in AppArmorSetFDLabel
  security: replace uses of label and VIR_FREE by g_autofree
  apparmor: fix UUID specification
  virt-aa-helper: store dynamically generated rules

 .../usr.lib.libvirt.virt-aa-helper.in         |   5 +-
 src/security/apparmor/usr.sbin.libvirtd.in    |   7 +-
 src/security/security_apparmor.c              |  83 +++++-----
 src/security/virt-aa-helper.c                 | 145 +++++++++---------
 4 files changed, 120 insertions(+), 120 deletions(-)

-- 
2.34.1
Re: [PATCH v2 0/4] fix AppArmor policy restore for runtime rules
Posted by Georgia Garcia 1 week, 4 days ago
On Wed, 2024-11-13 at 11:28 -0300, Georgia Garcia wrote:
> Some rules are generated dynamically during boot and added to the
> AppArmor policy. An example of that is macvtap devices that call the
> AppArmorSetFDLabel hook to add a rule for the tap device path.
> 
> Since this information is dynamic, it is not available in the xml
> config, therefore whenever a "Restore" hook is called, the entire
> profile is regenerated by virt-aa-helper based only the information
> from the VM definition, so the dynamic/runtime information is lost.
> 
> This patchset fixes that by storing these rules in a different file
> called libvirt-uuid.runtime_files, which is included by
> libvirt-uuid.files that already exists. It also includes other fixes
> like memory leaks, adoption of the GLib API in the apparmor files and
> a fix on the AppArmor policy that incorrectly applies apparmor policy
> syntax.
> 
> Georgia Garcia (4):
>   security_apparmor: fix memleaks in AppArmorSetFDLabel
>   security: replace uses of label and VIR_FREE by g_autofree
>   apparmor: fix UUID specification
>   virt-aa-helper: store dynamically generated rules
> 
>  .../usr.lib.libvirt.virt-aa-helper.in         |   5 +-
>  src/security/apparmor/usr.sbin.libvirtd.in    |   7 +-
>  src/security/security_apparmor.c              |  83 +++++-----
>  src/security/virt-aa-helper.c                 | 145 +++++++++---------
>  4 files changed, 120 insertions(+), 120 deletions(-)
> 

Friendly ping