mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-12-23 22:25:25 +00:00
d53f4d02d0
There are currently broken use cases, e.g. snapshotting more than one disk at once like: $ virsh snapshot-create-as --domain eoan --disk-only --atomic --diskspec vda,snapshot=no --diskspec vdb,snapshot=no --diskspec vdc,file=/test/disk1.snapshot1.qcow,snapshot=external --diskspec vdd,file=/test/disk2.snapshot1.qcow,snapshot=external The command above will iterate from qemuDomainSnapshotCreateDiskActive and eventually add /test/disk1.snapshot1.qcow first (appears in the rules) to then later add /test/disk2.snapshot1.qcow and while doing so throwing away the former rule causing it to fail. All other calls to (re)load_profile already use append=true when adding rules append=false is only used when restoring rules [1]. Fix this by letting AppArmorSetSecurityImageLabel use append=true as well. Since this is removing a (unintentional) trigger to revoke all rules appended so far we agreed on review to do some tests, but in the tests no rules came back on: - hot-plug - hot-unplug - snapshotting Bugs: https://bugs.launchpad.net/libvirt/+bug/1845506 https://bugzilla.redhat.com/show_bug.cgi?id=1746684 [1]: https://bugs.launchpad.net/libvirt/+bug/1845506/comments/13 Reviewed-by: Cole Robinson <crobinso@redhat.com> Acked-by: Jamie Strandboge <jamie@canonical.com> Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> |
||
---|---|---|
.. | ||
apparmor | ||
Makefile.inc.am | ||
security_apparmor.c | ||
security_apparmor.h | ||
security_dac.c | ||
security_dac.h | ||
security_driver.c | ||
security_driver.h | ||
security_manager.c | ||
security_manager.h | ||
security_nop.c | ||
security_nop.h | ||
security_selinux.c | ||
security_selinux.h | ||
security_stack.c | ||
security_stack.h | ||
security_util.c | ||
security_util.h | ||
virt-aa-helper.c |