On 6/29/23 07:14, Andrea Bolognani wrote:
For AppArmor 3.x we can use 'include if exists', which frees us
from having to create a dummy override. For AppArmor 2.x we keep
things as they are to avoid introducing regressions.
Signed-off-by: Andrea Bolognani <abologna@xxxxxxxxxx>
---
src/security/apparmor/meson.build | 15 ++++++++++-----
.../apparmor/usr.lib.libvirt.virt-aa-helper.in | 5 +++++
2 files changed, 15 insertions(+), 5 deletions(-)
diff --git a/src/security/apparmor/meson.build b/src/security/apparmor/meson.build
index 8bc2405f88..b9257c816d 100644
--- a/src/security/apparmor/meson.build
+++ b/src/security/apparmor/meson.build
@@ -77,8 +77,13 @@ install_data(
install_dir: apparmor_dir / 'libvirt',
)
-install_data(
- 'usr.lib.libvirt.virt-aa-helper.local',
- install_dir: apparmor_dir / 'local',
- rename: 'usr.lib.libvirt.virt-aa-helper',
-)
+if not conf.has('WITH_APPARMOR_3')
+ # We only install the empty local override for AppArmor 2.x. For
+ # AppArmor 3.x, upstream's preference is to avoid creating these
+ # files in order to limit the amount of filesystem clutter.
+ install_data(
+ 'usr.lib.libvirt.virt-aa-helper.local',
+ install_dir: apparmor_dir / 'local',
+ rename: 'usr.lib.libvirt.virt-aa-helper',
+ )
+endif
diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
index ff1d46bebe..26ee20a17d 100644
--- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
+++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
@@ -71,5 +71,10 @@ profile virt-aa-helper @libexecdir@/virt-aa-helper {
/**.[iI][sS][oO] r,
/**/disk{,.*} r,
+@BEGIN_APPARMOR_3@
+ include if exists <local/usr.lib.libvirt.virt-aa-helper>
+@END_APPARMOR_3@
+@BEGIN_APPARMOR_2@
#include <local/usr.lib.libvirt.virt-aa-helper>
+@END_APPARMOR_2@
}
The markers have the added benefit of reminding us to nuke this file when we
remove 2.x support.
Regards,
Jim