I have created the patches that I had in mind and a test PPA [1] (only a subset of the patches created are in there) to verify them.
I have run test builds on Eoan and on upstream/master code levels, upstream code also ran the sysntax/style check scripts of the project.
For me the test PPA [1] works for what was identified but has further issues.
I now see (interim state) both rules there:
root@e:~# cat /etc/apparmor.d/libvirt/libvirt-2370eae2-cc9a-493c-b502-d2d64e2ee1d1.files
# DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.
"/var/log/libvirt/**/eoan.log" w,
...
"/dev/vhost-net" rw,
"/var/lib/libvirt/images/eoan-disk1.snapshot2.qcow" rwk,
"/var/lib/libvirt/images/eoan-disk2.snapshot1.qcow" rwk,
But still the snapshot fails and access still is denied by apparmor:
apparmor="DENIED" operation="open" name="/var/lib/libvirt/images/eoan-disk2.snapshot1.qcow" requested_mask="r" ...
... name="/var/lib/libvirt/images/eoan-disk2.snapshot1.qcow"
... name="/var/lib/libvirt/images/eoan-disk2.snapshot1.qcow"
Hmm, those are the same paths ...
So I need to find another issue that affects this before I can go for upstreaming as I want to show the case now working ...
I have created the patches that I had in mind and a test PPA [1] (only a subset of the patches created are in there) to verify them.
I have run test builds on Eoan and on upstream/master code levels, upstream code also ran the sysntax/style check scripts of the project.
For me the test PPA [1] works for what was identified but has further issues.
I now see (interim state) both rules there:
root@e:~# cat /etc/apparmor. d/libvirt/ libvirt- 2370eae2- cc9a-493c- b502-d2d64e2ee1 d1.files log/libvirt/ **/eoan. log" w, lib/libvirt/ images/ eoan-disk1. snapshot2. qcow" rwk, lib/libvirt/ images/ eoan-disk2. snapshot1. qcow" rwk,
# DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.
"/var/
...
"/dev/vhost-net" rw,
"/var/
"/var/
But still the snapshot fails and access still is denied by apparmor: var/lib/ libvirt/ images/ eoan-disk2. snapshot1. qcow" requested_mask="r" ... var/lib/ libvirt/ images/ eoan-disk2. snapshot1. qcow" var/lib/ libvirt/ images/ eoan-disk2. snapshot1. qcow"
apparmor="DENIED" operation="open" name="/
... name="/
... name="/
Hmm, those are the same paths ...
So I need to find another issue that affects this before I can go for upstreaming as I want to show the case now working ...
[1]: https:/ /launchpad. net/~paelzer/ +archive/ ubuntu/ bug-1845506- multi-snapshot- apparmor