[Pkg-libvirt-commits] [Git][libvirt-team/libvirt][debian/master] apparmor: add local include for libvirt-qemu & libvirt-lxc
Guido Günther
gitlab at salsa.debian.org
Thu Jan 14 13:20:04 GMT 2021
Guido Günther pushed to branch debian/master at Libvirt Packaging Team / libvirt
Commits:
3d8fdd2b by Christian Ehrhardt at 2021-01-14T13:01:02+00:00
apparmor: add local include for libvirt-qemu & libvirt-lxc
We have had local includes for libvirtd and virt-aa-helper, but
unfortunately the most likely place for local includes to take place is
in /etc/apparmor/abstractions/libvirt-qemu (and libvirt-lxc) where we have
had no such local include yet.
This adds the include to the patch that addes the other Distro specific
includes d/p/debian/apparmor_profiles_local_include.patch.
Furthermore "normal" dh_apparmor can't handle subdirs in the profile
reference (since this is actually an abstraction it has the subdir).
Also for the abstraction we don't want the usual reload code.
Therefore we extract and add just what we need of a dh_apparmor snippet
and add it to the postinst of libvirt-daemon-system.
Signed-off-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
- - - - -
3 changed files:
- debian/libvirt-daemon-system.postinst
- debian/libvirt-daemon-system.postrm
- debian/patches/debian/apparmor_profiles_local_include.patch
Changes:
=====================================
debian/libvirt-daemon-system.postinst
=====================================
@@ -132,6 +132,23 @@ case "$1" in
# Force refresh of capabilities (#731815)
rm -f /var/cache/libvirt/qemu/capabilities/*.xml
+
+ # dh_apparmor can't work with dir/file profile filenames yet (#979500)
+ # Also we don't want the reload section of dh_apparmor. Just the
+ # install of an empty include.
+ ABSTRACTIONS_DIR="/etc/apparmor.d/abstractions"
+ LOCAL_ABSTRACTIONS_DIR="/etc/apparmor.d/local/abstractions"
+ LIBVIRT_ABSTRACTIONS="libvirt-lxc libvirt-qemu"
+
+ for name in $LIBVIRT_ABSTRACTIONS; do
+ abstraction="$ABSTRACTIONS_DIR/$name"
+ local_abstraction="$LOCAL_ABSTRACTIONS_DIR/$name"
+
+ if [ -e "$abstraction" ] && [ ! -e "$local_abstraction" ]; then
+ mkdir -p "$LOCAL_ABSTRACTIONS_DIR"
+ install -m 0644 /dev/null "$local_abstraction"
+ fi
+ done
;;
abort-upgrade|abort-remove|abort-deconfigure)
=====================================
debian/libvirt-daemon-system.postrm
=====================================
@@ -117,6 +117,20 @@ case "$1" in
-- \
"$@"
done
+
+ # dh_apparmor can't work with dir/file profile filenames yet (#979500)
+ ABSTRACTIONS_DIR="/etc/apparmor.d/abstractions"
+ LOCAL_ABSTRACTIONS_DIR="/etc/apparmor.d/local/abstractions"
+ LIBVIRT_ABSTRACTIONS="libvirt-lxc libvirt-qemu"
+ for name in $LIBVIRT_ABSTRACTIONS; do
+ abstraction="$ABSTRACTIONS_DIR/$name"
+ local_abstraction="$LOCAL_ABSTRACTIONS_DIR/$name"
+
+ if [ ! -e "$abstraction" ] ; then
+ rm -f "$local_abstraction"
+ rmdir --ignore-fail-on-non-empty "$LOCAL_ABSTRACTIONS_DIR" 2>/dev/null
+ fi
+ done
;;
remove|upgrade|failed-upgrade|disappear)
=====================================
debian/patches/debian/apparmor_profiles_local_include.patch
=====================================
@@ -8,26 +8,40 @@ Include local apparmor profile
src/security/apparmor/usr.sbin.libvirtd.in | 3 +++
2 files changed, 4 insertions(+)
-diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
-index dd18c8a..be8b9ee 100644
--- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
+++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
-@@ -69,5 +69,6 @@ profile virt-aa-helper @libexecdir@/virt-aa-helper {
+@@ -69,5 +69,6 @@ profile virt-aa-helper @libexecdir@/virt
/**.[iI][sS][oO] r,
/**/disk{,.*} r,
+ # Site-specific additions and overrides. See local/README for details..
#include <local/usr.lib.libvirt.virt-aa-helper>
}
-diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in
-index bf4563e..6fce647 100644
--- a/src/security/apparmor/usr.sbin.libvirtd.in
+++ b/src/security/apparmor/usr.sbin.libvirtd.in
-@@ -134,4 +134,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
+@@ -134,4 +134,7 @@ profile libvirtd @sbindir@/libvirtd flag
/usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix,
}
-+
++
+ # Site-specific additions and overrides. See local/README for details..
+ #include <local/usr.sbin.libvirtd>
}
+--- a/src/security/apparmor/libvirt-qemu
++++ b/src/security/apparmor/libvirt-qemu
+@@ -242,3 +242,6 @@
+ # /sys/bus/nd/devices
+ / r, # harmless on any lsb compliant system
+ /sys/bus/nd/devices/{,**/} r,
++
++ # Site-specific additions and overrides. See local/README for details..
++ #include <local/abstractions/libvirt-qemu>
+--- a/src/security/apparmor/libvirt-lxc
++++ b/src/security/apparmor/libvirt-lxc
+@@ -112,3 +112,6 @@
+ deny /sys/fs/cgrou[^p]*{,/**} wklx,
+ deny /sys/fs/cgroup?*{,/**} wklx,
+ deny /sys/fs?*{,/**} wklx,
++
++ # Site-specific additions and overrides. See local/README for details..
++ #include <local/abstractions/libvirt-lxc>
View it on GitLab: https://salsa.debian.org/libvirt-team/libvirt/-/commit/3d8fdd2bb240c1465767e008529ba2b9f4ce00ec
--
View it on GitLab: https://salsa.debian.org/libvirt-team/libvirt/-/commit/3d8fdd2bb240c1465767e008529ba2b9f4ce00ec
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-libvirt-commits/attachments/20210114/62b856ef/attachment-0001.html>
More information about the Pkg-libvirt-commits
mailing list