apparmor: allow adding permanent per guest rules

The design of apparmor in libvirt always had a way to define custom
per-guest rules as described in docs/drvqemu.html and [1].

A fix meant to clean the profiles after guest shutdown was a bit
overzealous and accidentially removed this important admin feature as
well.

Therefore reduce the --delete option of virt-aa-helper to only delete
the .files that would be re-generated in any case.

Users/Admins are always free to clean the profiles themselve if they
prefer a clean directory - they will be regenerated as needed. But
libvirt should never remove the base profile meant to allow per-guest
overrides and thereby break a documented feature.

[1]: https://gitlab.com/apparmor/apparmor/-/wikis/Libvirt#advanced-usage

Fixes: eba2225b "apparmor: delete profile on VM shutdown"
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>

diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index dadb9d1614846b1d4b0430284de61450f848893c..4b66422b8ff30f1e2c23c8c0fd9ff95c2e0732d9 100644 (file)
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -99,7 +99,7 @@ vah_usage(void)
             "  Modes:\n"
             "    -a | --add                     load profile\n"
             "    -c | --create                  create profile from template\n"
-            "    -D | --delete                  unload and delete profile\n"
+            "    -D | --delete                  unload profile and delete generated rules\n"
             "    -r | --replace                 reload profile\n"
             "    -R | --remove                  unload profile\n"
             "  Options:\n"
@@ -1491,7 +1491,6 @@ main(int argc, char **argv)
         rc = parserRemove(ctl->uuid);
         if (ctl->cmd == 'D') {
             unlink(include_file);
-            unlink(profile);
         }
     } else if (ctl->cmd == 'c' || ctl->cmd == 'r') {
         char *included_files = NULL;