Drop d/p/apparmor-Allow-virt-aa-helper-to-access-the-name-service-.patch

The abstraction brings too much permissions, see discussion when upstreaming the change: https://www.redhat.com/archives/libvir-list/2020-August/msg00099.html (To me) with libvirt >=6.0 (actually even with the old versions, maybe kernel dependent) this isn't reproducible anymore. We should drop the rule and once anyone can reproduce it again we can try if we either want to go with: # virt-aa-helper dependent libraries read (and if successful, other # files) this but virt-aa-helper itself doesn't require the access, # so silence the denial. deny /etc/nsswitch.conf r, Or allowing a very reduced set (Ubuntu had that for a short while): # virt-aa-helper dependent libraries might read nss info, but do not # need full nameservice access. /etc/gai.conf r, /etc/hosts r, /etc/host.conf r, /etc/nsswitch.conf r, Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>

Drop d/p/apparmor-Allow-virt-aa-helper-to-access-the-name-service-.patch
dd2d1a9e · Christian Ehrhardt · ceab4030 · ceab4030 · dd2d1a9e
Verified Commit dd2d1a9e authored 4 years ago by Christian Ehrhardt
--- a/debian/patches/apparmor-Allow-virt-aa-helper-to-access-the-name-service-.patch
+++ b/debian/patches/apparmor-Allow-virt-aa-helper-to-access-the-name-service-.patch
-From: =?utf-8?q?Guido_G=C3=BCnther?= <agx@sigxcpu.org>
-Date: Tue, 5 Dec 2017 14:40:40 +0100
-Subject: apparmor: Allow virt-aa-helper to access the name service switch
-
-Closes: #882979
---
- src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
-index be8b9ee..9ad9537 100644
--- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
-+++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
-@@ -2,6 +2,7 @@
- 
- profile virt-aa-helper @libexecdir@/virt-aa-helper {
-   #include <abstractions/base>
-+  #include <abstractions/nameservice>
- 
-   # needed for searching directories
-   capability dac_override,
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -9,7 +9,6 @@ debian/Use-upstreams-polkit-rule.patch
 debian/apparmor_profiles_local_include.patch
 Set-defaults-for-zfs-tools.patch
 Pass-GPG_TTY-env-var-to-the-ssh-binary.patch
-apparmor-Allow-virt-aa-helper-to-access-the-name-service-.patch
 debian/Prefer-sbin-over-usr-sbin.patch
 Include-etc-pki-qemu-in-apparmor.patch
 apparmor-Allow-run-pygrub.patch