patches: Add backport/apparmor-Don-t-check-for-existence[...]

Ensures that AppArmor doesn't get disabled for QEMU domains just because the LXC driver is not installed. Closes: #1081396

patches: Add backport/apparmor-Don-t-check-for-existence[...]
70a5d8d9 · Andrea Bolognani · 72c502d9 · 70a5d8d9 · 70a5d8d9
Commit 70a5d8d9 authored 8 months ago by Andrea Bolognani
--- a/debian/patches/backport/apparmor-Don-t-check-for-existence-of-templates-upfront.patch
+++ b/debian/patches/backport/apparmor-Don-t-check-for-existence-of-templates-upfront.patch
+From: Andrea Bolognani <abologna@redhat.com>
+Date: Mon, 16 Sep 2024 16:39:11 +0200
+Subject: apparmor: Don't check for existence of templates upfront
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+Currently, if either template is missing AppArmor support is
+completely disabled. This means that uninstalling the LXC
+driver from a system results in QEMU domains being started
+without AppArmor confinement, which obviously doesn't make any
+sense.
+
+The problematic scenario was impossible to hit in Debian until
+very recently, because all AppArmor files were shipped as part
+of the same package; now that the Debian package is much closer
+to the Fedora one, and specifically ships the AppArmor files
+together with the corresponding driver, it becomes trivial to
+trigger it.
+
+Drop the checks entirely. virt-aa-helper, which is responsible
+for creating the per-domain profiles starting from the
+driver-specific template, already fails if the latter is not
+present, so they were always redundant.
+
+https://bugs.debian.org/1081396
+
+Signed-off-by: Andrea Bolognani <abologna@redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit d622ca04f6525b90cfe6d8274efaf4bee043d8ba)
+
+Forwarded: not-needed
+Origin: https://gitlab.com/libvirt/libvirt/-/commit/d622ca04f6525b90cfe6d8274efaf4bee043d8ba
+---
+ src/security/security_apparmor.c | 18 ------------------
+ 1 file changed, 18 deletions(-)
+
+diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
+index 27184ae..a62ec1b 100644
+--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
+@@ -318,27 +318,9 @@ AppArmorSetSecurityHostLabel(virSCSIVHostDevice *dev G_GNUC_UNUSED,
+ static virSecurityDriverStatus
+ AppArmorSecurityManagerProbe(const char *virtDriver G_GNUC_UNUSED)
+ {
+-    g_autofree char *template_qemu = NULL;
+-    g_autofree char *template_lxc = NULL;
+-
+     if (use_apparmor() < 0)
+         return SECURITY_DRIVER_DISABLE;
+ 
+-    /* see if template file exists */
+-    template_qemu = g_strdup_printf("%s/TEMPLATE.qemu", APPARMOR_DIR "/libvirt");
+-    template_lxc = g_strdup_printf("%s/TEMPLATE.lxc", APPARMOR_DIR "/libvirt");
+-
+-    if (!virFileExists(template_qemu)) {
+-        virReportError(VIR_ERR_INTERNAL_ERROR,
+-                       _("template \'%1$s\' does not exist"), template_qemu);
+-        return SECURITY_DRIVER_DISABLE;
+-    }
+-    if (!virFileExists(template_lxc)) {
+-        virReportError(VIR_ERR_INTERNAL_ERROR,
+-                       _("template \'%1$s\' does not exist"), template_lxc);
+-        return SECURITY_DRIVER_DISABLE;
+-    }
+-
+     return SECURITY_DRIVER_ENABLE;
+ }
+ 
--- a/debian/patches/series
+++ b/debian/patches/series
+backport/apparmor-Don-t-check-for-existence-of-templates-upfront.patch
 forward/Reduce-udevadm-settle-timeout-to-10-seconds.patch
 debian/Debianize-libvirt-guests.patch
 debian/apparmor_profiles_local_include.patch