Comment 0 for bug 1644507

The apparmor profile for virt-aa-helper allows access to qcow2 backing images in some well know locations for OpenStack Nova:

  /var/lib/nova/images/** r,
  /var/lib/nova/instances/_base/** r,
  /var/lib/nova/instances/snapshots/** r,

which is great when openstack is installed using deb's from the archive; I'm working on a snap for a Nova hypervisor, and the base images are stored in:

  /var/snap/nova-hypervisor/common/instances/_base

so instances fail to boot as the generated profile for the instance does not contain access to the backing file as virt-aa-helper is DENIED access to it:

[ 5144.554120] audit: type=1400 audit(1479983132.426:49771): apparmor="DENIED" operation="open" profile="libvirt-d140e3d0-071d-453f-99f2-a777fd1a1c3d" name="/var/snap/nova-hypervisor/common/instances/_base/a9dd2a42f4d46f9d8a628643d9aede38924668e6" pid=663 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=115 ouid=115

switched virt-aa-helper into complain mode:

[ 5531.325617] audit: type=1400 audit(1479983519.193:49776): apparmor="ALLOWED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/var/snap/nova-hypervisor/common/instances/_base/a9dd2a42f4d46f9d8a628643d9aede38924668e6" pid=5509 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=115

and the instance booted successfully.

The actual disk for the instance is covered by:

  /**/disk{,.*} r,

unfortunately the base image does not have a nice general-izable path in the same way.

We could do:

  /var/**/images/** r,
  /var/**/_base/** r,
  /var/**/snapshots/** r,

which would capture other locations for the openstack instances path in the event that its not the default path for nova.