libvirt snapshots specifying --memspec need apparmor support
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libvirt (Ubuntu) |
Confirmed
|
Low
|
Unassigned |
Bug Description
In a similar way as we found in bug 1845506 that multiple disks can kill the rules for each other the rarely used snapshot option --memspec has issues as well.
If used the flow reaches access to the disks before rules are added (maybe none are added for memspec, but the failing one is on the actual snapshot, which works without --memspec.
So a rule that would be created isn't in this case at the time access starts.
Repro:
#1 get a guest
$ uvt-kvm create --host-passthrough --password=ubuntu h-test release=hirsute arch=amd64 label=daily
# get rid of secondary disk (otherwise we'd need to back that up as well)
$ virsh detach-disk h-test vdb
$ virsh snapshot-create-as --domain h-test --name h-test-snap --diskspec vda,snapshot=
Denial:
[3006813.872572] audit: type=1400 audit(160637424
IMHO this is super uncommon (exists for years and had no report yet), but if one is affected you'd need to add an override either for all guests (/etc/apparmor.
Due to that prio is IMHO low, but this bug shall help if people search the net for it and be a place to chime in outlining why this use-case is more important than we think atm.
Changed in libvirt (Ubuntu): | |
importance: | Undecided → Low |
status: | New → Confirmed |