On Thu, 2010-09-23 at 15:02 -0500, Jamie Strandboge wrote:
Hmm, that's a libvirt error rather than a QEMU error. Is the restricted AppArmour policy taking effect *before* the actual QEMU binary is exec()d ?
This is related to the stacked security driver implementation. Specifically, if I strace libvirtd, I see in one of its threads: gettid() = 20306 open("/proc/20306/attr/current", O_WRONLY) = 3 write(3, "changeprofile libvirt-7d781722-6"..., 58) = 58 close(3) = 0 chown("/tmp/qrt-test-libvirt/libvirt/qatest/qatest.img", 116, 123) = 0 setregid(123, 123) = -1 EPERM (Operation not permitted)
This chown appears to come from qemuSecurityDACSetProcessLabel(). What seems to be happening is that in __virExec() we call the security hook and the apparmor hook is being called before the DAC one, so we aa_change_profile() to the more restricted libvirt-<uuid> profile. It seems that it would be preferable to reverse the calling order of the hooks, but I am not sure how to do that.
Err.. of course I meant both the 'chown' and the 'setregid' appear to come from qemuSecurityDACSetProcessLabel() and that it is the setregid that is causing the error. -- Jamie Strandboge | http://www.canonical.com