From nobody Fri Dec 19 17:26:48 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1743498041239493.6293402173959; Tue, 1 Apr 2025 02:00:41 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 969BD132E; Tue, 1 Apr 2025 05:00:40 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id 42C611430; Tue, 1 Apr 2025 05:00:04 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 597E01183; Tue, 1 Apr 2025 04:59:31 -0400 (EDT) Received: from m239-4.eu.mailgun.net (m239-4.eu.mailgun.net [185.250.239.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id AC3B5C86 for ; Tue, 1 Apr 2025 04:59:30 -0400 (EDT) Received: from fedora.. (pub082136115252.dh-hfc.datazug.ch [82.136.115.252]) by 26f43b26effc with SMTP id 67ebaaf22561cf8f47a44b6f (version=TLS1.3, cipher=TLS_AES_128_GCM_SHA256); Tue, 01 Apr 2025 08:59:30 GMT X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-0.7 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_HELO_NONE,URI_HEX autolearn=unavailable autolearn_force=no version=3.4.4 DKIM-Signature: a=rsa-sha256; v=1; c=relaxed/relaxed; d=0x65c.net; q=dns/txt; s=email; t=1743497970; x=1743505170; h=Content-Transfer-Encoding: MIME-Version: References: In-Reply-To: Message-ID: Date: Subject: Subject: Cc: To: To: From: From: Sender: Sender; bh=uO+TkSLImFrD4vnrbC846SK5p0r4CEUV1AOdBCzXjMs=; b=C+KUnZDb6Otw4LrVWTImwEUajwStQb5lvOjbDeUN/dzhJqKc3+X7VXYJ/nE3jg+oFnzLkNlUpqTlNjDaIczdiTMo7Ab0tMUKKrY2l/NBJSdzgVHciQlCkYJWAQC2BXUU4Yg4e0LWRqAnU3wfRVOrJV4ko8GB4u2Vr2/MrY2Bp8wg1c4Aa9fESdnpndPVBGysVWQ+ZQossQATIyZLNJpBk0qVG8DjteUqFVw+UsWi3YPqT+etDaEyrmVeaPpU2D24bLChUrw0PnqhcZQpleHjQfN0/rCiFnfkCmfN0r8w18LzwevPSADDNOiKPh/Rv3E+bAX3ycA1BdzoUXQf4onfXQ== X-Mailgun-Sending-Ip: 185.250.239.4 X-Mailgun-Sending-Ip-Pool-Name: X-Mailgun-Sending-Ip-Pool: X-Mailgun-Sid: WyJkOGQ0OCIsImRldmVsQGxpc3RzLmxpYnZpcnQub3JnIiwiNTRlZjQiXQ== Sender: alessandro@0x65c.net From: Alessandro To: devel@lists.libvirt.org Subject: [PATCH] virt-aa-helper: delete dynamic files Date: Tue, 1 Apr 2025 10:55:28 +0200 Message-ID: <20250401085916.41999-2-alessandro@0x65c.net> X-Mailer: git-send-email 2.49.0 In-Reply-To: <20250401085916.41999-1-alessandro@0x65c.net> References: <20250401085916.41999-1-alessandro@0x65c.net> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-MailFrom: bounce+54d0d0.54ef4-devel=lists.libvirt.org@0x65c.net X-Mailman-Rule-Hits: nonmember-moderation X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0 Message-ID-Hash: UJQVKKVHW27HLFJZUVCWCEXAXJQSQSRQ X-Message-ID-Hash: UJQVKKVHW27HLFJZUVCWCEXAXJQSQSRQ X-Mailman-Approved-At: Tue, 01 Apr 2025 08:59:59 -0400 CC: dan@berrange.com, christian.ehrhardt@canonical.com, Alessandro X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1743498043396019000 Content-Type: text/plain; charset="utf-8" We attempted multiple ways to clean up dynamic files; however, we must preserve user overrides, which requires keeping the file /etc/apparmor.d/libvirt/libvirt-uuid This commit proposes to move user overrides into /etc/apparmor.d/libvirt/libvirt-uuid.local and include it, if present, unconditionally. When we stop the domain, we remove libvirt.uuid and libvirt-uuid.files, whereas we preserve libvirt-uuid.local if present. Applying the patch, it produces the following: root@virt-hv-lab002:/etc/apparmor.d/libvirt# ls -1 libvirt-e7424556-ffc1-4f= 6e-bafa-84e66c4dc033* libvirt-e7424556-ffc1-4f6e-bafa-84e66c4dc033 libvirt-e7424556-ffc1-4f6e-bafa-84e66c4dc033.files root@virt-hv-lab002:/etc/apparmor.d/libvirt# cat libvirt-e7424556-ffc1-4f6e= -bafa-84e66c4dc033 profile libvirt-e7424556-ffc1-4f6e-bafa-84e66c4dc033 flags=3D(attach_discon= nected) { #include #include if exists #include if exists } root@virt-hv-lab002:/etc/apparmor.d/libvirt# cat libvirt-e7424556-ffc1-4f6e= -bafa-84e66c4dc033.files "/var/log/libvirt/**/testing-9a4be628.log" w, "/var/lib/libvirt/qemu/domain-testing-9a4be628/monitor.sock" rw, "/var/lib/libvirt/qemu/domain-4-testing-9a4be628/*" rw, "/var/run/libvirt/**/testing-9a4be628.pid" rwk, "/var/run/libvirt/**/*.tunnelmigrate.dest.testing-9a4be628" rw, "/var/lib/libvirt/images/testing-9a4be628.qcow2" rwk, "/var/lib/libvirt/images/noble-server-cloudimg-amd64.img" rk, # don't audit writes to readonly files deny "/var/lib/libvirt/images/noble-server-cloudimg-amd64.img" w, "/var/lib/libvirt/images/testing-9a4be628-ds.qcow2" rwk, "/usr/share/OVMF/OVMF_CODE_4M.fd" rk, # don't audit writes to readonly files deny "/usr/share/OVMF/OVMF_CODE_4M.fd" w, "/var/lib/libvirt/qemu/nvram/testing-9a4be628_VARS.fd" rwk, "/dev/vhost-net" rw, "/var/lib/libvirt/qemu/domain-4-testing-9a4be628/{,**}" rwk, "/run/libvirt/qemu/channel/4-testing-9a4be628/{,**}" rwk, "/var/lib/libvirt/qemu/domain-4-testing-9a4be628/master-key.aes" rwk, "/dev/net/tun" rwk, "/dev/userfaultfd" rwk, Fixes: https://gitlab.com/libvirt/libvirt/-/issues/451 Signed-off-by: Alessandro --- src/security/virt-aa-helper.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index 034c042..6efe39c 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -1495,8 +1495,10 @@ main(int argc, char **argv) rc =3D parserLoad(ctl->uuid); } else if (ctl->cmd =3D=3D 'R' || ctl->cmd =3D=3D 'D') { rc =3D parserRemove(ctl->uuid); - if (ctl->cmd =3D=3D 'D') + if (ctl->cmd =3D=3D 'D') { unlink(include_file); + unlink(profile); + } } else if (ctl->cmd =3D=3D 'c' || ctl->cmd =3D=3D 'r') { g_autofree char *included_files =3D NULL; g_auto(virBuffer) buf =3D VIR_BUFFER_INITIALIZER; @@ -1566,7 +1568,9 @@ main(int argc, char **argv) #else const char *ifexists =3D ""; #endif - tmp =3D g_strdup_printf(" #include %s\n", i= fexists, ctl->uuid); + tmp =3D g_strdup_printf(" #include %s\n" \ + " #include %s\n", + ifexists, ctl->uuid, ifexists, ctl->uuid= ); =20 if (ctl->dryrun) { vah_info(profile); --=20 2.49.0