Re: [libvirt] Investigation and possible fix of 1361592 - apparmor profiles do not include backing files
On 16/08/2018 10:38, Peter Krempa wrote:
To fix this you should record the backing format [1] into your
overlay
image. If we'd relax the code we'd face the regression in the security
fix we've done.
[1] qemu-img creage -f qcow2 -F qcow2 -b backing-qcow2 overlay.qcow2
-F option specifies the format of the backing file
Thanks a lot for your explanation, now I see that my proposal does not
make any sense. Your suggestion works fine and virt-aa-helper produces
correct output.
Do you think this situation should ideally be diagnosed by higher-level
tools such as virt-manager which right now emit a generic permission
denied error?
Maybe virt-aa-helper could also emit a comment into the apparmor profile
saying something like "image.img has a backing image xyz.img but it was
not probed because its format is not recorded into the overlay image"?
Regards,
Povilas