[libvirt] Investigation and possible fix of 1361592 - apparmor profiles do not include backing files
Povilas Kanapickas
povilas at radix.lt
Thu Aug 16 20:03:40 UTC 2018
On 16/08/2018 10:38, Peter Krempa wrote:
> To fix this you should record the backing format [1] into your overlay
> image. If we'd relax the code we'd face the regression in the security
> fix we've done.
>
> [1] qemu-img creage -f qcow2 -F qcow2 -b backing-qcow2 overlay.qcow2
>
> -F option specifies the format of the backing file
>
Thanks a lot for your explanation, now I see that my proposal does not
make any sense. Your suggestion works fine and virt-aa-helper produces
correct output.
Do you think this situation should ideally be diagnosed by higher-level
tools such as virt-manager which right now emit a generic permission
denied error?
Maybe virt-aa-helper could also emit a comment into the apparmor profile
saying something like "image.img has a backing image xyz.img but it was
not probed because its format is not recorded into the overlay image"?
Regards,
Povilas
More information about the libvir-list
mailing list