git.ipfire.org Git - thirdparty/libvirt.git/commit

author	Christian Ehrhardt <christian.ehrhardt@canonical.com>
	Thu, 10 Aug 2017 09:19:19 +0000 (11:19 +0200)
committer	Michal Privoznik <mprivozn@redhat.com>
	Thu, 17 Aug 2017 14:11:59 +0000 (16:11 +0200)
commit	580cdaa7e7ba9e03303e06ff7ed487b6908efd09
tree	fbf8eb76de9d9e61c39e4b244bf4fb03699d05ed	tree
parent	b71946af5c7ed4c078d239e5313182b309f87c14	commit \| diff

virt-aa-helper: locking disk files for qemu 2.10

Testing qemu-2.10-rc2 shows issues like:
  qemu-system-x86_64: -drive file=/var/lib/uvtool/libvirt/images/kvmguest- \
  artful-normal.qcow,format=qcow2,if=none,id=drive-virtio-disk0:
  Failed to lock byte 100

It seems the following qemu commit changed the needs for the backing
image rules:

(qemu) commit 244a5668106297378391b768e7288eb157616f64
Author: Fam Zheng <famz@redhat.com>
    file-posix: Add image locking to perm operations

The block appears as:
apparmor="DENIED" operation="file_lock" [...]
name="/var/lib/uvtool/libvirt/images/kvmguest-artful-normal.qcow"
[...] comm="qemu-system-x86" requested_mask="k" denied_mask="k"

With that qemu change in place the rules generated for the image
and backing files need the allowance to also lock (k) the files.

Disks are added via add_file_path and with this fix rules now get
that permission, but no other rules are changed, example:
  -  "/var/lib/uvtool/libvirt/images/kvmguest-artful-normal-a2.qcow" rw,
  +  "/var/lib/uvtool/libvirt/images/kvmguest-artful-normal-a2.qcow" rwk

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>