From d53f4d02d032ec14391b5052ec165105dfc338b5 Mon Sep 17 00:00:00 2001 From: Christian Ehrhardt Date: Wed, 16 Oct 2019 09:35:27 +0200 Subject: [PATCH] apparmor: let AppArmorSetSecurityImageLabel append rules There are currently broken use cases, e.g. snapshotting more than one disk at once like: $ virsh snapshot-create-as --domain eoan --disk-only --atomic --diskspec vda,snapshot=no --diskspec vdb,snapshot=no --diskspec vdc,file=/test/disk1.snapshot1.qcow,snapshot=external --diskspec vdd,file=/test/disk2.snapshot1.qcow,snapshot=external The command above will iterate from qemuDomainSnapshotCreateDiskActive and eventually add /test/disk1.snapshot1.qcow first (appears in the rules) to then later add /test/disk2.snapshot1.qcow and while doing so throwing away the former rule causing it to fail. All other calls to (re)load_profile already use append=true when adding rules append=false is only used when restoring rules [1]. Fix this by letting AppArmorSetSecurityImageLabel use append=true as well. Since this is removing a (unintentional) trigger to revoke all rules appended so far we agreed on review to do some tests, but in the tests no rules came back on: - hot-plug - hot-unplug - snapshotting Bugs: https://bugs.launchpad.net/libvirt/+bug/1845506 https://bugzilla.redhat.com/show_bug.cgi?id=1746684 [1]: https://bugs.launchpad.net/libvirt/+bug/1845506/comments/13 Reviewed-by: Cole Robinson Acked-by: Jamie Strandboge Signed-off-by: Christian Ehrhardt --- src/security/security_apparmor.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c index 2dd861d850..21560b2330 100644 --- a/src/security/security_apparmor.c +++ b/src/security/security_apparmor.c @@ -798,7 +798,7 @@ AppArmorSetSecurityImageLabel(virSecurityManagerPtr mgr, return -1; } - return reload_profile(mgr, def, src->path, false); + return reload_profile(mgr, def, src->path, true); } static int