apparmor: Only support passt on 3.x

The subprofile can only work by including the abstraction shipped
in the passt package, which we can't assume is present, and
'include if exists' doesn't work well on 2.x.

No distro that's stuck on AppArmor 2.x is likely to be shipping
passt anyway.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Jim Fehlig <jfehlig@suse.com>

diff --git a/src/security/apparmor/libvirt-qemu.in b/src/security/apparmor/libvirt-qemu.in
index 44056b5f141c79db6c56e57138f8af056f7bee0a..1548cf23bfc4196707e00c9e4e706e915dce7a21 100644 (file)
--- a/src/security/apparmor/libvirt-qemu.in
+++ b/src/security/apparmor/libvirt-qemu.in
@@ -185,6 +185,7 @@
   /usr/{lib,lib64}/libswtpm_libtpms.so mr,
   /usr/lib/@{multiarch}/libswtpm_libtpms.so mr,
 
+@BEGIN_APPARMOR_3@
   # support for passt network back-end
   /usr/bin/passt Cx -> passt,
 
@@ -199,6 +200,7 @@
 
     include if exists <abstractions/passt>
   }
+@END_APPARMOR_3@
 
   # for save and resume
   /{usr/,}bin/dash rmix,