On Mon, Sep 16, 2024 at 04:13:03PM +0100, Daniel P. Berrangé wrote:
> On Tue, Sep 17, 2024 at 12:12:05AM +0900, Andrea Bolognani wrote:
> > On Mon, Sep 16, 2024 at 04:04:40PM GMT, Daniel P. Berrangé wrote:
> > > On Mon, Sep 16, 2024 at 04:55:55PM +0200, Andrea Bolognani wrote:
> > > > static virSecurityDriverStatus
> > > > AppArmorSecurityManagerProbe(const char *virtDriver G_GNUC_UNUSED)
> > >
> > > We're passing the virt driver name ("QEMU" or "LXC") in here and not using
> > > it.....
> > >
> > > ...rather than delete these, pick the right check to perform based
> > > on 'virtDriver' value.
> > >
> > > eg approximately like this
> > >
> > > g_autofree char *template_name = g_strdup(virtDriver);
> > > for (i = 0; template_name[i]; i++)
> > > template_name[i] = tolower(template_name[i])
> > > template = g_strdup_printf("%s/TEMPLATE.%s", APPARMOR_DIR "/libvirt", template_name)
> >
> > I can give it a shot, but it still seems pointless to check whether
> > the files are available ahead of time when virt-aa-helper will do
> > that at the time when they're actually going to be used. What do we
> > gain by doing that?
>
> Do we still get a clear error message back to the user if virt-aa-helper
> fails due to the missing files ?
A difference is that this Probe check will presumably report the error
during daemon startup, while the virt-aa-helper check will delay the
report until a VM is started. A failure to start the daemon is arguably
more likely to be noticed & fixed at time of host deployment.
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
