Brian Turek
2020-Oct-06 04:53 UTC
Any way to persistently edit a single VM's AppArmor profile?
In order to test a patch I submitted I've been experimenting with "qemu:commandline" to use some newer features for a QEMU host/guest file share. I quickly ran into issues with AppArmor as virt-aa-helper understandably doesn't parse "qemu:commandline" for directories to add to the dynamically generated AppArmor profile. After reading a bunch of documentation, I cannot find a way to persistently edit a single VM's AppArmor profile. virt-aa-helper will respect a pre-existing "/etc/apparmor.d/libvirt/libvirt-<uuid>" file but then delete it when the VM shuts down. virt-aa-helper does not respect pre-existing "/etc/apparmor.d/libvirt/libvirt-<uuid>.files" and will just overwrite it. The best I came up with was to edit "/etc/apparmor.d/abstractions/libvirt-qemu" but that affects ALL QEMU-based VMs whereas I really only need to tweak one profile. I'm an AppArmor novice so I'm hoping there might be some other way to do what I need. Anyone have any ideas? Thank you
Possibly Parallel Threads
- apparmor profile for samba4+bind9.9: writes to /var/tmp?
- AppArmor profile for Dovecot on Debian Stretch
- How to enable apparmor security driver for libvirt
- Debian Buster, bind_dlz, and apparmor
- AppArmor Rules for Samba AD DC on Ubuntu 14.04 LTS (was: Re: BIND 9.9 apparmor rules with Samba)
Wisdom of the Ancients
