On Fri, Aug 7, 2020 at 6:14 PM Daniel P. Berrangé <[email protected]> wrote:
> On Fri, Aug 07, 2020 at 12:21:19PM +0200, Christian Ehrhardt wrote: > > The design of apparmor in libvirt always had a way to define custom > > per-guest rules as described in docs/drvqemu.html and [1]. > > > > A fix meant to clean the profiles after guest shutdown was a bit > > overzealous and accidentially removed this important admin feature as > > well. > > > > Therefore reduce the --delete option of virt-aa-helper to only delete > > the .files that would be re-generated in any case. > > > > Users/Admins are always free to clean the profiles themselve if they > > prefer a clean directory - they will be regenerated as needed. But > > libvirt should never remove the base profile meant to allow per-guest > > overrides and thereby break a documented feature. > > > > [1]: https://gitlab.com/apparmor/apparmor/-/wikis/Libvirt#advanced-usage > > > > Fixes: eba2225b "apparmor: delete profile on VM shutdown" > > > > Signed-off-by: Christian Ehrhardt <[email protected]> > > --- > > src/security/virt-aa-helper.c | 3 +-- > > 1 file changed, 1 insertion(+), 2 deletions(-) > > Reviewed-by: Daniel P. Berrangé <[email protected]> > (as with the other recent apparmor patch patch) Thanks for the review - there was no negative feedback so far and in tests this worked fine. I'm committing the changes to not be postponed to close to the next release. > > Regards, > Daniel > -- > |: https://berrange.com -o- > https://www.flickr.com/photos/dberrange :| > |: https://libvirt.org -o- > https://fstop138.berrange.com :| > |: https://entangle-photo.org -o- > https://www.instagram.com/dberrange :| > > -- Christian Ehrhardt Staff Engineer, Ubuntu Server Canonical Ltd
