On Sat, Jul 30, 2016 at 10:01:09PM +0200, Guido Günther wrote: > On Sat, Jul 30, 2016 at 02:44:54PM +0200, Felix Geyer wrote: > > Hi, > > > > On 30.07.2016 14:06, intrigeri wrote: > > > So I don't see how we can make virsh attach-disk work under AppArmor > > > without either rebooting the guest to take into account the updated > > > profile, or extending the profile in advance (so that it allows access > > > to all disks that one may want to attach later to a domain). > > > > AppArmor profile updates are supposed to be applied to running processes. > > According to upstream there is/was a bug in the kernel and the userspace > > tools. > > > > Debian unstable (Linux 4.6.4-1, apparmor 2.10.95-4) is affected by this bug. > > I haven't investigated further though. > > I had a quick look at > > > https://git.kernel.org/cgit/linux/kernel/git/jj/linux-apparmor.git/log/?h=for-security > > (the only branch with recent udates) and didn't spot anything related to > this.
Scratch that https://git.kernel.org/cgit/linux/kernel/git/jj/linux-apparmor.git/log/?h=v4.7-aa2.8-out-of-tree has some stuff that might be related. Cheers, -- Guido