apparmor: Add support for local profile customizations

Apparmor profiles in /etc/apparmor.d/ are config files that can and should
be replaced on package upgrade, which introduces the potential to overwrite
any local changes. Apparmor supports local profile customizations via
/etc/apparmor.d/local/<service> [1].

This change makes the support explicit by adding libvirtd, virtqemud, and
virtxend profile customization stubs to /etc/apparmor.d/local/. The stubs
are conditionally included by the corresponding main profiles.

[1] https://ubuntu.com/server/docs/security-apparmor
See "Profile customization" section

Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>

diff --git a/src/security/apparmor/meson.build b/src/security/apparmor/meson.build
index 58b4024b852baa8a4e54524f08b20ca191f68df8..02a6d098ad2256a0634330264852798054765a94 100644 (file)
--- a/src/security/apparmor/meson.build
+++ b/src/security/apparmor/meson.build
@@ -34,8 +34,10 @@ install_data(
   install_dir: apparmor_dir / 'libvirt',
 )
 
-install_data(
-  'usr.lib.libvirt.virt-aa-helper.local',
-  install_dir: apparmor_dir / 'local',
-  rename: 'usr.lib.libvirt.virt-aa-helper',
-)
+foreach name : apparmor_gen_profiles
+  install_data(
+    '@0@.local'.format(name),
+    install_dir: apparmor_dir / 'local',
+    rename: name,
+  )
+endforeach

diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in
index edb8dd8e2679ba68a3345ab133500d84e67e9156..41bdef53ec8aa9fb5b058f4f9360306a9398bccc 100644 (file)
--- a/src/security/apparmor/usr.sbin.libvirtd.in
+++ b/src/security/apparmor/usr.sbin.libvirtd.in
@@ -139,4 +139,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
 
    /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix,
   }
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/usr.sbin.libvirtd>
 }

diff --git a/src/security/apparmor/usr.sbin.libvirtd.local b/src/security/apparmor/usr.sbin.libvirtd.local
new file mode 100644 (file)
index 0000000..3716400
--- /dev/null
+++ b/src/security/apparmor/usr.sbin.libvirtd.local
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.sbin.libvirtd'

diff --git a/src/security/apparmor/usr.sbin.virtqemud.in b/src/security/apparmor/usr.sbin.virtqemud.in
index f269c608093fcc4a94569ae0a2d235c01c168493..3ebdbf2a8f7c5db2edbdf8ada0fe320acbfdbb2c 100644 (file)
--- a/src/security/apparmor/usr.sbin.virtqemud.in
+++ b/src/security/apparmor/usr.sbin.virtqemud.in
@@ -132,4 +132,7 @@ profile virtqemud @sbindir@/virtqemud flags=(attach_disconnected) {
 
    /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix,
   }
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/usr.sbin.virtqemud>
 }

diff --git a/src/security/apparmor/usr.sbin.virtqemud.local b/src/security/apparmor/usr.sbin.virtqemud.local
new file mode 100644 (file)
index 0000000..2ac68bb
--- /dev/null
+++ b/src/security/apparmor/usr.sbin.virtqemud.local
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.sbin.virtqemud'

diff --git a/src/security/apparmor/usr.sbin.virtxend.in b/src/security/apparmor/usr.sbin.virtxend.in
index 72e0d801e5ada8954c56f5c16c98faf69121cbd6..719766a0c1c69ce6047f12b346b3dd2c24c8c449 100644 (file)
--- a/src/security/apparmor/usr.sbin.virtxend.in
+++ b/src/security/apparmor/usr.sbin.virtxend.in
@@ -52,4 +52,7 @@ profile virtxend @sbindir@/virtxend flags=(attach_disconnected) {
   @libexecdir@/libvirt_iohelper ix,
   /etc/libvirt/hooks/** rmix,
   /etc/xen/scripts/** rmix,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/usr.sbin.virtxend>
 }

diff --git a/src/security/apparmor/usr.sbin.virtxend.local b/src/security/apparmor/usr.sbin.virtxend.local
new file mode 100644 (file)
index 0000000..2ade86d
--- /dev/null
+++ b/src/security/apparmor/usr.sbin.virtxend.local
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.sbin.virtxend'