<!-- See https://libvirt.org/bugs.html#how-to-file-high-quality-bug-reports --> ## Software environment - Operating system: Debian 12 (also Debian 13) - Architecture: x86_64 - kernel version: 6.1.0-17-amd64 - libvirt version:9.0.0-4 - Hypervisor and version: qemu 1:7.2+dfsg-7+deb12u5 ## Description of problem AppAromor profile blocks using `blockcommit` to shorten images backing chain ## Steps to reproduce 1. Create images chain of length 3, base <- snapshot <- active 2. Try to blockcommit 3. error: internal error: unable to execute QEMU command 'block-commit': Could not open '/var/lib/libvirt/images/disk.0': Permission denied Example: ``` # qemu-img create -f qcow2 -o backing_fmt=qcow2 -b /var/lib/libvirt/images/disk.0 /var/lib/libvirt/images/disk.0.snapshot.1 # virsh --connect qemu:///system snapshot-create-as --name one-0-backup --disk-only --atomic --diskspec vda,file=/var/lib/libvirt/images/disk.0.snapshot.1 --no-metadata --reuse-external one-0 # qemu-img create -f qcow2 -o backing_fmt=qcow2 -b /var/lib/libvirt/images/disk.0.snapshot.1 /var/lib/libvirt/images/disk.0.snapshot.2 # virsh --connect qemu:///system snapshot-create-as --disk-only --atomic --reuse-external --no-metadata --diskspec vda,file=/var/lib/libvirt/images/disk.0.snapshot.2 one-0 # First blockcommit works fine # virsh --connect qemu:///system blockcommit --wait --top /var/lib/libvirt/images/disk.0.snapshot.1 --base /var/lib/libvirt/images/disk.0.0 one-0 vda # qemu-img create -f qcow2 -o backing_fmt=qcow2 -b /var/lib/libvirt/images/disk.0.snapshot.2 /var/lib/libvirt/images/disk.0.snapshot.3 # virsh --connect qemu:///system snapshot-create-as --disk-only --atomic --reuse-external --no-metadata --diskspec vda,file=/var/lib/libvirt/images/disk.0.snapshot.3 one-0 # Second blockcommit fails # virsh --connect qemu:///system blockcommit --wait --top /var/lib/libvirt/images/disk.0.snapshot.2 --base /var/lib/libvirt/images/disk.0 one-0 vda ``` ``` error: internal error: unable to execute QEMU command 'block-commit': Could not open '/var/lib/libvirt/images/disk.0': Permission denied ``` Apparmor profile of the VM (problematic lines) ``` # cat libvirt-197c477b-1059-4982-a77c-57933e956342.files # DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT. "/var/log/libvirt/**/one-0.log" w, "/var/lib/libvirt/qemu/domain-one-0/monitor.sock" rw, "/var/lib/libvirt/qemu/domain-16-one-0/*" rw, "/run/libvirt/**/one-0.pid" rwk, "/run/libvirt/**/*.tunnelmigrate.dest.one-0" rw, "/var/lib/libvirt/images/disk.0.snapshot.2" rwk, "/var/lib/libvirt/images/disk.0" rk, <<<<<<<<< # don't audit writes to readonly files deny "/var/lib/libvirt/images/disk.0" w, <<<<<<<<< "/var/lib/libvirt/images/disk.1" rk, # don't audit writes to readonly files deny "/var/lib/libvirt/images/disk.1" w, "/var/lib/libvirt/qemu/channel/target/domain-16-one-0/org.qemu.guest_agent.0" rw, "/dev/vhost-net" rw, "/var/lib/libvirt/images/disk.0.snapshot.3" rwk, "/var/lib/libvirt/images/disk.0" rwk, "/var/lib/libvirt/images/disk.0" rwk, ```