On Wed, 2024-11-13 at 11:28 -0300, Georgia Garcia wrote:
> Some rules are generated dynamically during boot and added to the
> AppArmor policy. An example of that is macvtap devices that call the
> AppArmorSetFDLabel hook to add a rule for the tap device path.
>
> Since this information is dynamic, it is not available in the xml
> config, therefore whenever a "Restore" hook is called, the entire
> profile is regenerated by virt-aa-helper based only the information
> from the VM definition, so the dynamic/runtime information is lost.
>
> This patchset fixes that by storing these rules in a different file
> called libvirt-uuid.runtime_files, which is included by
> libvirt-uuid.files that already exists. It also includes other fixes
> like memory leaks, adoption of the GLib API in the apparmor files and
> a fix on the AppArmor policy that incorrectly applies apparmor policy
> syntax.
>
> Georgia Garcia (4):
> security_apparmor: fix memleaks in AppArmorSetFDLabel
> security: replace uses of label and VIR_FREE by g_autofree
> apparmor: fix UUID specification
> virt-aa-helper: store dynamically generated rules
>
> .../usr.lib.libvirt.virt-aa-helper.in | 5 +-
> src/security/apparmor/usr.sbin.libvirtd.in | 7 +-
> src/security/security_apparmor.c | 83 +++++-----
> src/security/virt-aa-helper.c | 145 +++++++++---------
> 4 files changed, 120 insertions(+), 120 deletions(-)
>
Friendly ping