This series has two independent changes following from a thread back in November (#692) [1][2]. Broadly speaking I agree that regenerating the apparmor profile from scratch feels fragile. That said, this issue has been on my back burner for a while; it's out of scope for me to take on that (much larger) effort.
I'm including the first patch for completeness' sake, as all blockcommit operations fail without it when using the AppArmor driver (#806 [3]). It was rejected in 2017 but is still carried in Ubuntu [4]. Feel free not to pull it - the solution to that issue is separate and not my primary concern. I can send a new version of patch 3 that applies without it. My understanding is that the domstatus XML is only used by libvirt internally (stored in /var/run to persist runtime info over libvirtd restarts). Since this is the case, I haven't included documentation for the new items here; please let me know if I missed where they should be documented. I'm happy to consider this a first draft; feedback is welcome. I've opened a MR to libvirt-tck with test cases that demonstrate the bugs that this fixes [5]. Those tests pass with the series applied. Thanks for your consideration. ~Wesley [1] https://lists.libvirt.org/archives/list/[email protected]/thread/QUJITQCZZDLO2BJMJGYKJFJMWPXB76CC/ [2] https://gitlab.com/libvirt/libvirt/-/issues/692 [3] https://gitlab.com/libvirt/libvirt/-/issues/806 [4] https://lists.libvirt.org/archives/list/[email protected]/thread/3WIDPAU3UNWSS7CZG7IF7QWJZCPDKBD3/ [5] https://gitlab.com/libvirt/libvirt-tck/-/merge_requests/73 --- Serge Hallyn (1): virt-aa-helper: Ask for no deny rule for readonly disk elements Wesley Hershberger (2): qemu: Store tapfd path in domstatus XML qemu: Store blockcommit permissions in domstatus XML src/conf/domain_conf.c | 17 +++++++++++++++++ src/conf/domain_conf.h | 1 + src/conf/storage_source_conf.c | 2 ++ src/conf/storage_source_conf.h | 3 +++ src/qemu/qemu_block.c | 26 ++++++++++++++++++++++++++ src/qemu/qemu_blockjob.c | 8 ++++++++ src/qemu/qemu_command.c | 9 +++++++++ src/qemu/qemu_security.c | 7 +++++++ src/security/security_apparmor.c | 1 + src/security/virt-aa-helper.c | 14 ++++++++------ 10 files changed, 82 insertions(+), 6 deletions(-) --- base-commit: 16804acf14616d7357ad6a336f2ffd6d255a8d63 change-id: 20260105-apparmor-races-d03238ee4d93 Best regards, -- Wesley Hershberger <[email protected]>
