Re: [PATCH V3 1/2] Apparmor: Add profile for virtqemud

Jim Fehlig <jfehlig@xxxxxxxx> · Fri, 25 Jun 2021 11:17:03 -0600

On 6/25/21 5:19 AM, Christian Boltz wrote:
Hello,

[please CC me in replies]

Your updated patches still look good, I just noticed something that is
probably minor nitpicking:

Am Donnerstag, 24. Juni 2021, 22:48:58 CEST schrieb Jim Fehlig:
[...]
+  signal (send) set=("kill", "term") peer=unconfined,
[...]
+  signal (send) set=("term") peer=libvirtd//qemu_bridge_helper,

The quotes around the signal names are superfluous. You can simply use
     set=(kill, term)
     set=(term)

Actually the parenthesis are optional if there's only a single signal
mentioned, so you could also use
     set=term
(keeping the parenthesis for consistency with other rules is also fine)


There are several signal rules with superfluous quotes in this patch,
and also one in the 2/2 patch.

(There's no need to re-send the patch for such a minor change IMHO.)

Thanks. I've squashed the below diff into my local branch (along with a similar 
change to the one instance in 2/2).

Regards,
Jim

diff --git a/src/security/apparmor/usr.sbin.virtqemud.in 
b/src/security/apparmor/usr.sbin.virtqemud.in
index 2d16ea821d..3de03d49fc 100644
--- a/src/security/apparmor/usr.sbin.virtqemud.in
+++ b/src/security/apparmor/usr.sbin.virtqemud.in
@@ -62,11 +62,11 @@ profile virtqemud @sbindir@/virtqemud 
flags=(attach_disconnected) {
   signal (send) peer=dnsmasq,
   signal (send) peer=/usr/sbin/dnsmasq,
   signal (read, send) peer=libvirt-*,
-  signal (send) set=("kill", "term") peer=unconfined,
+  signal (send) set=(kill, term) peer=unconfined,

   # For communication/control to qemu-bridge-helper
   unix (send, receive) type=stream addr=none 
peer=(label=libvirtd//qemu_bridge_helper),
-  signal (send) set=("term") peer=libvirtd//qemu_bridge_helper,
+  signal (send) set=(term) peer=libvirtd//qemu_bridge_helper,

   # allow connect with openGraphicsFD, direction reversed in newer versions
   unix (send, receive) type=stream addr=none 
peer=(label=libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*),
@@ -123,7 +123,7 @@ profile virtqemud @sbindir@/virtqemud 
flags=(attach_disconnected) {

    # For communication/control from virtqemud
    unix (send, receive) type=stream addr=none peer=(label=virtqemud),
-   signal (receive) set=("term") peer=virtqemud,
+   signal (receive) set=(term) peer=virtqemud,

    /dev/net/tun rw,
    /etc/qemu/** r,







