AppArmor prevents blockcommit
Software environment
- Operating system: Debian 12
- Architecture: x86_64
- kernel version: 6.1.0-17-amd64
- libvirt version:9.0.0-4
- Hypervisor and version: qemu 1:7.2+dfsg-7+deb12u5
Description of problem
AppAromor profile blocks using blockcommit
to shorten images backing chain
Steps to reproduce
- Create images chain of length 3, base <- snapshot <- active
- Try to blockcommit
- error: internal error: unable to execute QEMU command 'block-commit': Could not open '/var/lib/libvirt/images/disk.0': Permission denied
Example:
# qemu-img create -f qcow2 -o backing_fmt=qcow2 -b /var/lib/libvirt/images/disk.0 /var/lib/libvirt/images/disk.0.snapshot.1
# virsh --connect qemu:///system snapshot-create-as --name one-0-backup --disk-only --atomic --diskspec vda,file=/var/lib/libvirt/images/disk.0.snapshot.1 --no-metadata --reuse-external one-0
# qemu-img create -f qcow2 -o backing_fmt=qcow2 -b /var/lib/libvirt/images/disk.0.snapshot.1 /var/lib/libvirt/images/disk.0.snapshot.2
# virsh --connect qemu:///system snapshot-create-as --disk-only --atomic --reuse-external --no-metadata --diskspec vda,file=/var/lib/libvirt/images/disk.0.snapshot.2 one-0
# First blockcommit works fine
# virsh --connect qemu:///system blockcommit --wait --top /var/lib/libvirt/images/disk.0.snapshot.1 --base /var/lib/libvirt/images/disk.0.0 one-0 vda
# qemu-img create -f qcow2 -o backing_fmt=qcow2 -b /var/lib/libvirt/images/disk.0.snapshot.2 /var/lib/libvirt/images/disk.0.snapshot.3
# virsh --connect qemu:///system snapshot-create-as --disk-only --atomic --reuse-external --no-metadata --diskspec vda,file=/var/lib/libvirt/images/disk.0.snapshot.3 one-0
# Second blockcommit fails
# virsh --connect qemu:///system blockcommit --wait --top /var/lib/libvirt/images/disk.0.snapshot.2 --base /var/lib/libvirt/images/disk.0 one-0 vda
error: internal error: unable to execute QEMU command 'block-commit': Could not open '/var/lib/libvirt/images/disk.0': Permission denied
Apparmor profile of the VM (problematic lines)
# cat libvirt-197c477b-1059-4982-a77c-57933e956342.files
# DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.
"/var/log/libvirt/**/one-0.log" w,
"/var/lib/libvirt/qemu/domain-one-0/monitor.sock" rw,
"/var/lib/libvirt/qemu/domain-16-one-0/*" rw,
"/run/libvirt/**/one-0.pid" rwk,
"/run/libvirt/**/*.tunnelmigrate.dest.one-0" rw,
"/var/lib/libvirt/images/disk.0.snapshot.2" rwk,
"/var/lib/libvirt/images/disk.0" rk, <<<<<<<<<
# don't audit writes to readonly files
deny "/var/lib/libvirt/images/disk.0" w, <<<<<<<<<
"/var/lib/libvirt/images/disk.1" rk,
# don't audit writes to readonly files
deny "/var/lib/libvirt/images/disk.1" w,
"/var/lib/libvirt/qemu/channel/target/domain-16-one-0/org.qemu.guest_agent.0" rw,
"/dev/vhost-net" rw,
"/var/lib/libvirt/images/disk.0.snapshot.3" rwk,
"/var/lib/libvirt/images/disk.0" rwk,
"/var/lib/libvirt/images/disk.0" rwk,