From nobody Fri Dec 19 22:04:27 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1743442719057123.57465764758854; Mon, 31 Mar 2025 10:38:39 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 1FC0CB48; Mon, 31 Mar 2025 13:38:38 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id 7D592B34; Mon, 31 Mar 2025 13:38:16 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 2B7241240; Mon, 31 Mar 2025 13:30:11 -0400 (EDT) Received: from m204-227.eu.mailgun.net (m204-227.eu.mailgun.net [161.38.204.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 1A74811FD for ; Mon, 31 Mar 2025 13:30:09 -0400 (EDT) Received: from fedora.. (pub082136115252.dh-hfc.datazug.ch [82.136.115.252]) by 2329a4f49005 with SMTP id 67ead12048ef529943d3cb33 (version=TLS1.3, cipher=TLS_AES_128_GCM_SHA256); Mon, 31 Mar 2025 17:30:08 GMT X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-0.7 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_HELO_NONE,URI_HEX autolearn=unavailable autolearn_force=no version=3.4.4 DKIM-Signature: a=rsa-sha256; v=1; c=relaxed/relaxed; d=0x65c.net; q=dns/txt; s=email; t=1743442209; x=1743449409; h=Content-Transfer-Encoding: MIME-Version: References: In-Reply-To: Message-ID: Date: Subject: Subject: Cc: To: To: From: From: Sender: Sender; bh=LXWW8XFDSN82OGnskZI9Iv9+N/NgtTBP2X7JRqHG0kU=; b=R+kXjwT59bHhUduQuAPprdIpbViI7NwhNtwvAymkDNzv03XQeopI5ylob6swleQl+wW4T5KYBzLiXmLbS6e1+9GrgquP/sIEJ6d32H/UFrnimHBB2q3dh6N6cVx8iUsEdh8wCKAD/h8BWuJLn3Es/atNHbfsRp7/S4lCIRLpORHfarTYJBrKmwdQhRybIZ4J0mxyWsq2ip8OURKrJAe/OC5egtPE2yLyLBOrKdeDGkDwJzAFyPIgN1z1n+vB90RQC6kWm/6/59XF5dM9yahA8Cc92U5ZWUPnClPoMDcNiHr55329LZPfx0HiKAXv3qSCPNnNJx+LABUx5hNlj7yCPg== X-Mailgun-Sending-Ip: 161.38.204.227 X-Mailgun-Sending-Ip-Pool-Name: X-Mailgun-Sending-Ip-Pool: X-Mailgun-Sid: WyJkOGQ0OCIsImRldmVsQGxpc3RzLmxpYnZpcnQub3JnIiwiNTRlZjQiXQ== Sender: alessandro@0x65c.net From: Alessandro To: devel@lists.libvirt.org Subject: [PATCH] virt-aa-helper: delete dynamic files Date: Mon, 31 Mar 2025 19:30:02 +0200 Message-ID: <20250331173002.38339-1-alessandro@0x65c.net> X-Mailer: git-send-email 2.49.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-MailFrom: bounce+54d0d0.54ef4-devel=lists.libvirt.org@0x65c.net X-Mailman-Rule-Hits: nonmember-moderation X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0 Message-ID-Hash: GUURWDW2YLTEV5Z7AS7NL3L3VHLTDJO7 X-Message-ID-Hash: GUURWDW2YLTEV5Z7AS7NL3L3VHLTDJO7 X-Mailman-Approved-At: Mon, 31 Mar 2025 17:38:14 -0400 CC: dan@berrange.com, christian.ehrhardt@canonical.com, alessandro@0x65c.net X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1743442721239019000 Content-Type: text/plain; charset="utf-8" We attempted multiple ways to clean up dynamic files; however, we must preserve user overrides, which requires keeping the file /etc/apparmor.d/libvirt/libvirt-uuid This commit proposes to move user overrides into /etc/apparmor.d/libvirt/libvirt-uuid.local and include it, if present, unconditionally. When we stop the domain, we remove libvirt.uuid and libvirt-uuid.files, whereas we preserve libvirt-uuid.local if present. Applying the patch, it produces the following: root@virt-hv-lab002:/etc/apparmor.d/libvirt# ls -1 libvirt-e7424556-ffc1-4f= 6e-bafa-84e66c4dc033* libvirt-e7424556-ffc1-4f6e-bafa-84e66c4dc033 libvirt-e7424556-ffc1-4f6e-bafa-84e66c4dc033.files root@virt-hv-lab002:/etc/apparmor.d/libvirt# cat libvirt-e7424556-ffc1-4f6e= -bafa-84e66c4dc033 profile libvirt-e7424556-ffc1-4f6e-bafa-84e66c4dc033 flags=3D(attach_discon= nected) { #include #include if exists #include if exists } root@virt-hv-lab002:/etc/apparmor.d/libvirt# cat libvirt-e7424556-ffc1-4f6e= -bafa-84e66c4dc033.files "/var/log/libvirt/**/testing-9a4be628.log" w, "/var/lib/libvirt/qemu/domain-testing-9a4be628/monitor.sock" rw, "/var/lib/libvirt/qemu/domain-4-testing-9a4be628/*" rw, "/var/run/libvirt/**/testing-9a4be628.pid" rwk, "/var/run/libvirt/**/*.tunnelmigrate.dest.testing-9a4be628" rw, "/var/lib/libvirt/images/testing-9a4be628.qcow2" rwk, "/var/lib/libvirt/images/noble-server-cloudimg-amd64.img" rk, # don't audit writes to readonly files deny "/var/lib/libvirt/images/noble-server-cloudimg-amd64.img" w, "/var/lib/libvirt/images/testing-9a4be628-ds.qcow2" rwk, "/usr/share/OVMF/OVMF_CODE_4M.fd" rk, # don't audit writes to readonly files deny "/usr/share/OVMF/OVMF_CODE_4M.fd" w, "/var/lib/libvirt/qemu/nvram/testing-9a4be628_VARS.fd" rwk, "/dev/vhost-net" rw, "/var/lib/libvirt/qemu/domain-4-testing-9a4be628/{,**}" rwk, "/run/libvirt/qemu/channel/4-testing-9a4be628/{,**}" rwk, "/var/lib/libvirt/qemu/domain-4-testing-9a4be628/master-key.aes" rwk, "/dev/net/tun" rwk, "/dev/userfaultfd" rwk, Fixes: https://gitlab.com/libvirt/libvirt/-/issues/451 Signed-off-by: Alessandro --- src/security/virt-aa-helper.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index 034c042..6a1fb85 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -1495,8 +1495,10 @@ main(int argc, char **argv) rc =3D parserLoad(ctl->uuid); } else if (ctl->cmd =3D=3D 'R' || ctl->cmd =3D=3D 'D') { rc =3D parserRemove(ctl->uuid); - if (ctl->cmd =3D=3D 'D') + if (ctl->cmd =3D=3D 'D') { unlink(include_file); + unlink(profile); + } } else if (ctl->cmd =3D=3D 'c' || ctl->cmd =3D=3D 'r') { g_autofree char *included_files =3D NULL; g_auto(virBuffer) buf =3D VIR_BUFFER_INITIALIZER; @@ -1561,12 +1563,18 @@ main(int argc, char **argv) /* create the profile from TEMPLATE */ if (ctl->cmd =3D=3D 'c' || purged) { g_autofree char *tmp =3D NULL; + g_autofree char *tmp_local =3D NULL; + char *new_tmp =3D NULL; #if defined(WITH_APPARMOR_3) const char *ifexists =3D "if exists "; #else const char *ifexists =3D ""; #endif tmp =3D g_strdup_printf(" #include %s\n", i= fexists, ctl->uuid); + tmp_local =3D g_strdup_printf(" #include %s= \n", ifexists, ctl->uuid); + new_tmp =3D g_strconcat(tmp, tmp_local, NULL); + g_free(tmp); + tmp =3D g_steal_pointer(&new_tmp); =20 if (ctl->dryrun) { vah_info(profile); --=20 2.49.0