[apparmor] [PATCH] Don't unload libvirt's dynamic profiles on reload

Tue Feb 22 19:15:35 UTC 2011

On Tue, Feb 22, 2011 at 11:36:21AM -0600, Jamie Strandboge wrote:
> Libvirt generates dynamic profiles using aa_change_profile(). When a
> dynamic profile is added, it is of the form of 'libvirt-<vm uuid>'. Eg:
> libvirt-b5779634-a136-b0d1-c0a4-0706752c4f25
> 
> Currently, the initscripts will unload these profiles on reload, but
> they shouldn't touch them[1]. This patch special-cases libvirt's
> profiles for now so this does not happen. If more applications use
> dynamic profiles, we can in some way generalize this to flag profiles as
> dynamic.

ACK, though can you add a comment explaining why the egrep is there?
Thanks!

> ------------------------------------------------------------
> revno: 1664 [merge]
> committer: Jamie Strandboge <jamie at canonical.com>
> branch nick: apparmor-trunk
> timestamp: Tue 2011-02-22 11:29:33 -0600
> message:
>   parser/rc.apparmor.functions: Don't unload libvirt's dynamic profiles on
>   reload. For now just special-case libvirt's profiles. If more applications
>   use dynamic profiles, this should be generalized in some way to flag profiles
>   as dynamic. (LP: #702774)
> diff:
> === modified file 'parser/rc.apparmor.functions'
> --- parser/rc.apparmor.functions	2011-01-13 21:58:26 +0000
> +++ parser/rc.apparmor.functions	2011-02-22 17:14:34 +0000
> @@ -1,7 +1,7 @@
>  #!/bin/sh
>  # ----------------------------------------------------------------------
> -#    Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
> -#    NOVELL (All rights reserved)
> +#    Copyright (c) 1999-2008 NOVELL (All rights reserved)
> +#    Copyright (c) 2009-2011 Canonical Ltd. (All rights reserved)
>  #
>  #    This program is free software; you can redistribute it and/or
>  #    modify it under the terms of version 2 of the GNU General Public
> @@ -464,7 +464,7 @@
>  	PNAMES_LIST=$(mktemp ${APPARMOR_TMPDIR}/tmp.XXXXXXXX)
>  	profiles_names_list ${PNAMES_LIST}
>  	MODULE_PLIST=$(mktemp ${APPARMOR_TMPDIR}/tmp.XXXXXXXX)
> -	sed  -e "s/ (\(enforce\|complain\))$//" "$SFS_MOUNTPOINT/profiles" | sort >"$MODULE_PLIST"
> +	sed  -e "s/ (\(enforce\|complain\))$//" "$SFS_MOUNTPOINT/profiles" | egrep -v '^libvirt-[0-9a-f\-]+$' | sort >"$MODULE_PLIST"
>  	sort "$PNAMES_LIST" | comm -2 -3 "$MODULE_PLIST" - | while IFS= read profile ; do
>  		echo -n "$profile" > "$SFS_MOUNTPOINT/.remove"
>  	done
> ------------------------------------------------------------
> Use --include-merges or -n0 to see merged revisions.

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20110222/64619c3e/attachment.pgp>