On Mon, Sep 16, 2024 at 04:55:55PM +0200, Andrea Bolognani wrote: > Currently, if either template is missing AppArmor support is > completely disabled. This means that uninstalling the LXC > driver from a system results in QEMU domains being started > without AppArmor confinement, which obviously doesn't make any > sense. > > The problematic scenario was impossible to hit in Debian until > very recently, because all AppArmor files were shipped as part > of the same package; now that the Debian package is much closer > to the Fedora one, and specifically ships the AppArmor files > together with the corresponding driver, it becomes trivial to > trigger it. > > Drop the checks entirely. virt-aa-helper, which is responsible > for creating the per-domain profiles starting from the > driver-specific template, already fails if the latter is not > present, so they were always redundant. > > https://bugs.debian.org/1081396 > > Signed-off-by: Andrea Bolognani <abologna@xxxxxxxxxx> > --- > src/security/security_apparmor.c | 18 ------------------ > 1 file changed, 18 deletions(-) > > diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c > index 27184aef7f..a62ec1b10d 100644 > --- a/src/security/security_apparmor.c > +++ b/src/security/security_apparmor.c > @@ -318,27 +318,9 @@ AppArmorSetSecurityHostLabel(virSCSIVHostDevice *dev G_GNUC_UNUSED, > static virSecurityDriverStatus > AppArmorSecurityManagerProbe(const char *virtDriver G_GNUC_UNUSED) We're passing the virt driver name ("QEMU" or "LXC") in here and not using it..... > { > - g_autofree char *template_qemu = NULL; > - g_autofree char *template_lxc = NULL; > - > if (use_apparmor() < 0) > return SECURITY_DRIVER_DISABLE; > > - /* see if template file exists */ > - template_qemu = g_strdup_printf("%s/TEMPLATE.qemu", APPARMOR_DIR "/libvirt"); > - template_lxc = g_strdup_printf("%s/TEMPLATE.lxc", APPARMOR_DIR "/libvirt"); > - > - if (!virFileExists(template_qemu)) { > - virReportError(VIR_ERR_INTERNAL_ERROR, > - _("template \'%1$s\' does not exist"), template_qemu); > - return SECURITY_DRIVER_DISABLE; > - } > - if (!virFileExists(template_lxc)) { > - virReportError(VIR_ERR_INTERNAL_ERROR, > - _("template \'%1$s\' does not exist"), template_lxc); > - return SECURITY_DRIVER_DISABLE; > - } ...rather than delete these, pick the right check to perform based on 'virtDriver' value. eg approximately like this g_autofree char *template_name = g_strdup(virtDriver); for (i = 0; template_name[i]; i++) template_name[i] = tolower(template_name[i]) template = g_strdup_printf("%s/TEMPLATE.%s", APPARMOR_DIR "/libvirt", template_name) With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
