]> xenbits.xensource.com Git - libvirt.git/commitdiff
projects / libvirt.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: b6092de)
apparmor: Improve virt-aa-helper include
authorAndrea Bolognani <abologna@redhat.com>
Thu, 29 Jun 2023 09:40:16 +0000 (11:40 +0200)
committerAndrea Bolognani <abologna@redhat.com>
Mon, 3 Jul 2023 12:55:41 +0000 (14:55 +0200)
For AppArmor 3.x we can use 'include if exists', which frees us
from having to create a dummy override. For AppArmor 2.x we keep
things as they are to avoid introducing regressions.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Jim Fehlig <jfehlig@suse.com>
src/security/apparmor/meson.build patch | blob | blame | history
src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in patch | blob | blame | history

diff --git a/src/security/apparmor/meson.build b/src/security/apparmor/meson.build
index 8bc2405f880f0834cb68b0c4c6d4ecab54e8c9ea..b9257c816d1eff33a9d478253cd5848f232e397e 100644 (file)
--- a/src/security/apparmor/meson.build
+++ b/src/security/apparmor/meson.build
@@ -77,8 +77,13 @@ install_data(
   install_dir: apparmor_dir / 'libvirt',
 )
 
-install_data(
-  'usr.lib.libvirt.virt-aa-helper.local',
-  install_dir: apparmor_dir / 'local',
-  rename: 'usr.lib.libvirt.virt-aa-helper',
-)
+if not conf.has('WITH_APPARMOR_3')
+  # We only install the empty local override for AppArmor 2.x. For
+  # AppArmor 3.x, upstream's preference is to avoid creating these
+  # files in order to limit the amount of filesystem clutter.
+  install_data(
+    'usr.lib.libvirt.virt-aa-helper.local',
+    install_dir: apparmor_dir / 'local',
+    rename: 'usr.lib.libvirt.virt-aa-helper',
+  )
+endif
diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
index ff1d46bebed6fa50f0123c038be620ae29a2ec4b..26ee20a17d4c715dd91da292192fc3e96b9e8294 100644 (file)
--- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
+++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
@@ -71,5 +71,10 @@ profile virt-aa-helper @libexecdir@/virt-aa-helper {
   /**.[iI][sS][oO] r,
   /**/disk{,.*} r,
 
+@BEGIN_APPARMOR_3@
+  include if exists <local/usr.lib.libvirt.virt-aa-helper>
+@END_APPARMOR_3@
+@BEGIN_APPARMOR_2@
   #include <local/usr.lib.libvirt.virt-aa-helper>
+@END_APPARMOR_2@
 }
Unnamed repository; edit this file 'description' to name the repository.