From 580cdaa7e7ba9e03303e06ff7ed487b6908efd09 Mon Sep 17 00:00:00 2001 From: Christian Ehrhardt Date: Thu, 10 Aug 2017 11:19:19 +0200 Subject: [PATCH] virt-aa-helper: locking disk files for qemu 2.10 Testing qemu-2.10-rc2 shows issues like: qemu-system-x86_64: -drive file=/var/lib/uvtool/libvirt/images/kvmguest- \ artful-normal.qcow,format=qcow2,if=none,id=drive-virtio-disk0: Failed to lock byte 100 It seems the following qemu commit changed the needs for the backing image rules: (qemu) commit 244a5668106297378391b768e7288eb157616f64 Author: Fam Zheng file-posix: Add image locking to perm operations The block appears as: apparmor="DENIED" operation="file_lock" [...] name="/var/lib/uvtool/libvirt/images/kvmguest-artful-normal.qcow" [...] comm="qemu-system-x86" requested_mask="k" denied_mask="k" With that qemu change in place the rules generated for the image and backing files need the allowance to also lock (k) the files. Disks are added via add_file_path and with this fix rules now get that permission, but no other rules are changed, example: - "/var/lib/uvtool/libvirt/images/kvmguest-artful-normal-a2.qcow" rw, + "/var/lib/uvtool/libvirt/images/kvmguest-artful-normal-a2.qcow" rwk Signed-off-by: Christian Ehrhardt --- src/security/virt-aa-helper.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index 209ffaefb7..8ee906ae8f 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -892,11 +892,11 @@ add_file_path(virDomainDiskDefPtr disk, if (depth == 0) { if (disk->src->readonly) - ret = vah_add_file(buf, path, "r"); + ret = vah_add_file(buf, path, "rk"); else - ret = vah_add_file(buf, path, "rw"); + ret = vah_add_file(buf, path, "rwk"); } else { - ret = vah_add_file(buf, path, "r"); + ret = vah_add_file(buf, path, "rk"); } if (ret != 0) -- GitLab