1. Patchew
  2. Libvirt
  3. View series

[libvirt] [PATCH] apparmor: delete profile on VM shutdown

Guido Günther posted 1 patch 7 years, 7 months ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/41257226a11164f62c3fb3dfe02d3594cae8cac0.1505762636.git.agx@sigxcpu.org
src/security/security_apparmor.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
[libvirt] [PATCH] apparmor: delete profile on VM shutdown
Posted by Guido Günther 7 years, 7 months ago 
instead of only unloading it. This makes sure old profiles don't pile up
in /etc/apparmor.d/libvirt and we get updates to modified templates on
VM restart.
---
 src/security/security_apparmor.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
index 5afe0c5c85..1db94c632f 100644
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@@ -220,7 +220,7 @@ remove_profile(const char *profile)
 {
     int rc = -1;
     const char * const argv[] = {
-        VIRT_AA_HELPER, "-R", "-u", profile, NULL
+        VIRT_AA_HELPER, "-D", "-u", profile, NULL
     };
 
     if (virRun(argv, NULL) == 0)
-- 
2.14.1

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH] apparmor: delete profile on VM shutdown
Posted by Jim Fehlig 7 years, 7 months ago 
On 09/18/2017 01:24 PM, Guido Günther wrote:
> instead of only unloading it. This makes sure old profiles don't pile up
> in /etc/apparmor.d/libvirt and we get updates to modified templates on
> VM restart.

Makes sense.

> ---
>   src/security/security_apparmor.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
> index 5afe0c5c85..1db94c632f 100644
> --- a/src/security/security_apparmor.c
> +++ b/src/security/security_apparmor.c
> @@ -220,7 +220,7 @@ remove_profile(const char *profile)
>   {
>       int rc = -1;
>       const char * const argv[] = {
> -        VIRT_AA_HELPER, "-R", "-u", profile, NULL
> +        VIRT_AA_HELPER, "-D", "-u", profile, NULL

I included this patch in my libvirt+apparmor testing and noticed that the 
profiles are not deleted when a VM start fails. But that's no fault of your change.

Reviewed-by: Jim Fehlig <jfehlig@suse.com>

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH] apparmor: delete profile on VM shutdown
Posted by Guido Günther 7 years, 7 months ago 
Hi,
On Tue, Sep 19, 2017 at 10:36:03PM -0600, Jim Fehlig wrote:
> On 09/18/2017 01:24 PM, Guido Günther wrote:
> > instead of only unloading it. This makes sure old profiles don't pile up
> > in /etc/apparmor.d/libvirt and we get updates to modified templates on
> > VM restart.
> 
> Makes sense.

Pushed. Thanks!

> 
> > ---
> >   src/security/security_apparmor.c | 2 +-
> >   1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
> > index 5afe0c5c85..1db94c632f 100644
> > --- a/src/security/security_apparmor.c
> > +++ b/src/security/security_apparmor.c
> > @@ -220,7 +220,7 @@ remove_profile(const char *profile)
> >   {
> >       int rc = -1;
> >       const char * const argv[] = {
> > -        VIRT_AA_HELPER, "-R", "-u", profile, NULL
> > +        VIRT_AA_HELPER, "-D", "-u", profile, NULL
> 
> I included this patch in my libvirt+apparmor testing and noticed that the
> profiles are not deleted when a VM start fails. But that's no fault of your
> change.

Hmmm...seems were lacking a call to .domainRestoreSecurityAllLabel in
this case. I'll put this on my TODO list.
Cheers,
 -- Guido

> 
> Reviewed-by: Jim Fehlig <jfehlig@suse.com>
> 

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Patchew 2.1-devel-8c64711

© 2016 - 2025 Red Hat, Inc.