This is a stab at a V2 of https://listman.redhat.com/archives/libvir-list/2023-June/240219.html That patch was ACKed and committed, but reverted before the 9.5.0 release since it could be problematic with older apparmor 2.x versions still supported by libvirt. Andrea suggested copies of the profiles for apparmor 2.x and 3.x. This series takes that approach, with patch 1 making an identical copy of the src/security/apparmor directory. Patches 2 and 3 then adjust the profiles accordingly. My approach to copying the existing directory does introduce some duplicate files in the tree, but otherwise it's minimally disruptive and will be easy to rip out when upstream libvirt no longer needs to support apparmor 2.x. FYI, so far I've only tested with apparmor 3.x, but I did push the changes to my fork with CI enabled https://gitlab.com/jfehlig/libvirt/-/pipelines/915347878 Thanks for comments/suggestions! Jim Fehlig (3): apparmor: Create version specific apparmor profiles apparmor: Remove support for passt from apparmor 2.x apparmor: Add support for local profile customizations meson.build | 6 +- src/security/apparmor-2/TEMPLATE.lxc | 15 + src/security/apparmor-2/TEMPLATE.qemu | 9 + src/security/apparmor-2/libvirt-lxc | 118 ++++++++ src/security/apparmor-2/libvirt-qemu | 256 ++++++++++++++++++ src/security/apparmor-2/meson.build | 41 +++ .../usr.lib.libvirt.virt-aa-helper.in | 75 +++++ .../usr.lib.libvirt.virt-aa-helper.local | 1 + src/security/apparmor-2/usr.sbin.libvirtd.in | 142 ++++++++++ src/security/apparmor-2/usr.sbin.virtqemud.in | 135 +++++++++ src/security/apparmor-2/usr.sbin.virtxend.in | 55 ++++ src/security/apparmor/libvirt-lxc | 3 + src/security/apparmor/libvirt-qemu | 3 + src/security/apparmor/usr.sbin.libvirtd.in | 5 +- src/security/apparmor/usr.sbin.virtqemud.in | 3 + src/security/apparmor/usr.sbin.virtxend.in | 3 + src/security/meson.build | 3 + 17 files changed, 871 insertions(+), 2 deletions(-) create mode 100644 src/security/apparmor-2/TEMPLATE.lxc create mode 100644 src/security/apparmor-2/TEMPLATE.qemu create mode 100644 src/security/apparmor-2/libvirt-lxc create mode 100644 src/security/apparmor-2/libvirt-qemu create mode 100644 src/security/apparmor-2/meson.build create mode 100644 src/security/apparmor-2/usr.lib.libvirt.virt-aa-helper.in create mode 100644 src/security/apparmor-2/usr.lib.libvirt.virt-aa-helper.local create mode 100644 src/security/apparmor-2/usr.sbin.libvirtd.in create mode 100644 src/security/apparmor-2/usr.sbin.virtqemud.in create mode 100644 src/security/apparmor-2/usr.sbin.virtxend.in -- 2.41.0
