Re: [PATCH v2 0/4] fix AppArmor policy restore for runtime rules

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2024-11-13 at 11:28 -0300, Georgia Garcia wrote:
> Some rules are generated dynamically during boot and added to the
> AppArmor policy. An example of that is macvtap devices that call the
> AppArmorSetFDLabel hook to add a rule for the tap device path.
> 
> Since this information is dynamic, it is not available in the xml
> config, therefore whenever a "Restore" hook is called, the entire
> profile is regenerated by virt-aa-helper based only the information
> from the VM definition, so the dynamic/runtime information is lost.
> 
> This patchset fixes that by storing these rules in a different file
> called libvirt-uuid.runtime_files, which is included by
> libvirt-uuid.files that already exists. It also includes other fixes
> like memory leaks, adoption of the GLib API in the apparmor files and
> a fix on the AppArmor policy that incorrectly applies apparmor policy
> syntax.
> 
> Georgia Garcia (4):
>   security_apparmor: fix memleaks in AppArmorSetFDLabel
>   security: replace uses of label and VIR_FREE by g_autofree
>   apparmor: fix UUID specification
>   virt-aa-helper: store dynamically generated rules
> 
>  .../usr.lib.libvirt.virt-aa-helper.in         |   5 +-
>  src/security/apparmor/usr.sbin.libvirtd.in    |   7 +-
>  src/security/security_apparmor.c              |  83 +++++-----
>  src/security/virt-aa-helper.c                 | 145 +++++++++---------
>  4 files changed, 120 insertions(+), 120 deletions(-)
> 

Friendly ping




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux