On Wed, 2024-11-13 at 11:28 -0300, Georgia Garcia wrote: > Some rules are generated dynamically during boot and added to the > AppArmor policy. An example of that is macvtap devices that call the > AppArmorSetFDLabel hook to add a rule for the tap device path. > > Since this information is dynamic, it is not available in the xml > config, therefore whenever a "Restore" hook is called, the entire > profile is regenerated by virt-aa-helper based only the information > from the VM definition, so the dynamic/runtime information is lost. > > This patchset fixes that by storing these rules in a different file > called libvirt-uuid.runtime_files, which is included by > libvirt-uuid.files that already exists. It also includes other fixes > like memory leaks, adoption of the GLib API in the apparmor files and > a fix on the AppArmor policy that incorrectly applies apparmor policy > syntax. > > Georgia Garcia (4): > security_apparmor: fix memleaks in AppArmorSetFDLabel > security: replace uses of label and VIR_FREE by g_autofree > apparmor: fix UUID specification > virt-aa-helper: store dynamically generated rules > > .../usr.lib.libvirt.virt-aa-helper.in | 5 +- > src/security/apparmor/usr.sbin.libvirtd.in | 7 +- > src/security/security_apparmor.c | 83 +++++----- > src/security/virt-aa-helper.c | 145 +++++++++--------- > 4 files changed, 120 insertions(+), 120 deletions(-) > Friendly ping