[libvirt] virStorageFileGetMetadata bug?

Hi, I'm looking into why virt-aa-helper isn't adding allow rules for backing stores nested deeper than 1. So if I do qemu-img create -f qcow2 l1.img 10G qemu-img create -f qcow2 -b l1.img l2.img and use l2.img in a domain, then virt-aa-helper will add allow rules for the domain to access both l1.img and l2.img. But if I qemu-img create -f qcow2 -b l2.img l3.img and use l3.img in the domain, then l3.img will not get an allow rule. Looking at src/security/virt-aa-helper.c:get_files(), it is doing: if (!disk->src->backingStore) { bool probe = ctl->allowDiskFormatProbing; virStorageFileGetMetadata(disk->src, -1, -1, probe, false); } if (virDomainDiskDefForeachPath(disk, true, add_file_path, &buf) < 0) goto cleanup; and virStorageFileGetMetadata in turn calls virStorageFileGetMetadataRecurse(). So it seems like l3.img *should* be geting hit in virDomainDiskDefForeachPath, but it's not. Am I misunderstanding something in how these helpers should be used? thanks, -serge