virt-aa-helper management of AppArmor profiles
Software environment
- Operating system: debian unstable
- Architecture: amd64
- kernel version: 6.1.0
- libvirt version: 9.0.0
- Hypervisor and version: qemu 7.2
Description of problem
With AppArmor enabled (default on debian and ubuntu), libvirt (via virt-aa-helper) dynamically creates an AppArmor profile.
When the domain stops, libvirt removes the .files file that is included in the main profile (but it keeps the unloaded profile itself).
There are multiple problems here IMVHO:
- It seems that the profile itself is never deleted even when the domain is fully deleted, meaning that it will clutter the filesystem with old files. I could understand that you want to keep the file around (keep the same UUID?) while the domain is defined, but once deleted the profile should be deleted too.
- As virt-aa-helper only deletes the .files file and that file is included in the main profile, some tools around AppArmor like aa-logprof (used to generate a profile from the audit logs) fails with an error like
ERROR: Include file /etc/apparmor.d/libvirt/libvirt-88fc6b00-b951-42e3-a535-c0752b5a401e.files not found
, making them unusable.
Steps to reproduce
- On a system with AppArmor enabled
- Create a domain with qemu and start it
- Stop the domain