Hotplugng disk not adding backing layers to apparmor profile
Russell Cattelan
cattelan at digitalelves.com
Fri Dec 18 20:45:32 UTC 2020
We have been working on a feature at IBM cloud around snapshots.
One of the workflows is to add a snapshoted disk to a running virtual
instance. This involves adding a disk that has at minimum 2 qcow2 files,
one for the active overlay and one or more backing files.
The problem we are running into is that they dynamic update of the
apparmor profile appears to only add the first file in the chain to the
profile.
It based on some experiments it appears that this should be adding
all the files to the security profile but this seems to only do the
first (topmost) file. "disk->src"
https://gitlab.com/libvirt/libvirt/-/blob/a7db0b757d210071d39e6d116e6a4bc761e2ed66/src/qemu/qemu_hotplug.c#L695
I does not appear to loop over the disks where as
qemuBlockStorageSourceChainAttach does
https://gitlab.com/libvirt/libvirt/-/blob/a7db0b757d210071d39e6d116e6a4bc761e2ed66/src/qemu/qemu_block.c#L1919
The attached disk then fails since apparmor will reject the backing
files access.
This is fairly easy to demonstrate when apparmor is active.
<disk type='file' device='disk'>
<driver name='qemu' type='qcow2'/>
<source file='/mnt2/hotplug2.qcow2' index='1'/>
<backingStore type='file' index='2'>
<format type='qcow2'/>
<source file='/mnt2/hotplug1.qcow2'/>
<backingStore/>
</backingStore>
<target dev='vdc' bus='virtio'/>
</disk>
virsh attach-device test1 /mnt2/attach.xml
[535657.524784] audit: type=1400 audit(1608242451.762:79):
apparmor="DENIED" operation="open"
profile="libvirt-a7fd0ca2-1429-4a60-9ab4-a545660666ce"
name="/mnt2/hotplug1.qcow2" pid=11999 comm="qemu-system-x86"
requested_mask="r" denied_mask="r" fsuid=64055 ouid=64055
-Russell Cattelan
More information about the libvir-list
mailing list