On 8/20/25 17:49, Hector CAO wrote: > From: Hector Cao <hector.cao@xxxxxxxxxxxxx> > > when a device is dynamically attached to a VM, and it needs a special > system access for apparmor, libvirt calls virt-aa-helper (with argument -F) > to append a new rule to the apparmor profile of the VM. virt-aa-helper does > not check for duplicate and blindly appends the rule to the profile. since > there is no rule removal when a device is detached, this can make the profile > grow in size if a big number of attach/detach operations are done and the > profile might hit the size limit and futur attach operations might dysfunction > because no rule can be added into the apparmor profile. > > this patch tries to mitigate this issue by doing a duplicate check > when rules are appended into the profile. this fix does not guarantee > the absence of duplicates but should be enough to prevent the profile > to grow significantly in size and reach its size limit. > > Signed-off-by: Hector CAO <hector.cao@xxxxxxxxxxxxx> > --- > src/security/virt-aa-helper.c | 15 +++++++++++++-- > 1 file changed, 13 insertions(+), 2 deletions(-) Reviewed-by: Michal Privoznik <mprivozn@xxxxxxxxxx> and merged. Congratulations on your first libvirt contribution! Michal
