Re: [libvirt] PATCH 3/4: AppArmor updates

> Hmm, that's a libvirt error rather than a QEMU error. Is the restricted > AppArmour policy taking effect *before* the actual QEMU binary is exec()d ? This is related to the stacked security driver implementation. Specifically, if I strace libvirtd, I see in one of its threads: gettid() = 20306 open("/proc/20306/attr/current", O_WRONLY) = 3 write(3, "changeprofile libvirt-7d781722-6"..., 58) = 58 close(3) = 0 chown("/tmp/qrt-test-libvirt/libvirt/qatest/qatest.img", 116, 123) = 0 setregid(123, 123) = -1 EPERM (Operation not permitted) This chown appears to come from qemuSecurityDACSetProcessLabel(). What seems to be happening is that in __virExec() we call the security hook and the apparmor hook is being called before the DAC one, so we aa_change_profile() to the more restricted libvirt-<uuid> profile. It seems that it would be preferable to reverse the calling order of the hooks, but I am not sure how to do that.