[libvirt] [PATCH 4/4] apparmor: let AppArmorSetSecurityImageLabel append rules

Christian Ehrhardt christian.ehrhardt at canonical.com
Wed Oct 16 14:27:10 UTC 2019


There are currently broken use cases, e.g. snapshotting more than one disk at
once like:
 $ virsh snapshot-create-as --domain eoan --disk-only --atomic
   --diskspec vda,snapshot=no  --diskspec vdb,snapshot=no
   --diskspec vdc,file=/test/disk1.snapshot1.qcow,snapshot=external
   --diskspec vdd,file=/test/disk2.snapshot1.qcow,snapshot=external
The command above will iterate from qemuDomainSnapshotCreateDiskActive and
eventually add /test/disk1.snapshot1.qcow first (appears in the rules)
to then later add /test/disk2.snapshot1.qcow and while doing so throwing
away the former rule causing it to fail.

All other calls to (re)load_profile already use append=true when adding
rules append=false is only used when restoring rules [1].

Fix this by letting AppArmorSetSecurityImageLabel use append=true as well.

Bugs:
https://bugs.launchpad.net/libvirt/+bug/1845506
https://bugzilla.redhat.com/show_bug.cgi?id=1746684

[1]: https://bugs.launchpad.net/libvirt/+bug/1845506/comments/13

Signed-off-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
---
 src/security/security_apparmor.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
index 320d69e52a..4dd7ba20b4 100644
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@@ -812,7 +812,7 @@ AppArmorSetSecurityImageLabel(virSecurityManagerPtr mgr,
         return -1;
     }
 
-    return reload_profile(mgr, def, src->path, false);
+    return reload_profile(mgr, def, src->path, true);
 }
 
 static int
-- 
2.23.0




More information about the libvir-list mailing list