libvirt-daemon-system: blockcommit => permission denied

Software environment

• Operating system: Debian 13 trixie
• Architecture: x86_64
• kernel version: 6.12.41+deb13-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.12.41-1 (2025-08-12) x86_64 GNU/Linux
• libvirt version: 11.3.0
• Hypervisor and version: KVM/QEMU emulator version 10.0.2

Description of problem

I would like to bring to your attention a long-standing AppArmor-related bug affecting blockcommit disk operations in libvirt, originally documented in the following distributions:

Debian bug #932456: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932456

Reproduced on multiple versions including Debian 10 (Buster) and still present in latest Debian 13 (Trixie).

The issue surfaces as a "permission denied" error when running virsh blockcommit on a VM disk with AppArmor enabled. Analysis has shown that libvirt’s generated AppArmor profiles, via virt-aa-helper, incorrectly add a deny write rule to the readonly base disk, preventing blockcommit from working.

Ubuntu bug #1554031: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1554031

Ubuntu maintainers tracked and resolved the same issue some time ago by integrating a patch which alters virt-aa-helper to avoid generating deny rules for readonly disks.

Patch references:

Debian: v5 and v7 patches:

• https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=932456;filename=v5-virt-aa-helper-Ask-for-no-deny-rule-for-readonly-dis.patch;msg=50
• https://bugs.debian.org/cgi-bin/bugreport.cgi?att=2;bug=932456;filename=v7-virt-aa-helper-Ask-for-no-deny-rule-for-readonly-dis.patch;msg=50

Ubuntu:

• https://git.launchpad.net/ubuntu/+source/libvirt/tree/debian/patches/ubuntu-aa/0031-virt-aa-helper-Ask-for-no-deny-rule-for-readonly-dis.patch

How to reproduce the bug

Create an external snapshot of a virtual machine disk using libvirt.

For example:

virsh snapshot-create-as --domain <vm-name> --name snapshot1 --disk-only --atomic --no-metadata --diskspec vda,snapshot=external

Attempt to delete the snapshot or perform a blockcommit to merge the snapshot changes back to the base image. For example:

virsh blockcommit <vm-name> vda --active --pivot

This fails with the error message:

error: internal error: unable to execute QEMU command 'block-commit': Could not reopen file: Permission denied

If you temporarily disable the AppArmor profile, for instance by setting the profile to complain mode or disabling it, the blockcommit operation then succeeds, allowing snapshot deletion.

Disabling AppArmor or manually patching removes the issue, but is not a suitable workaround for production environments.

Recent findings: I have personally confirmed that this bug still exists on Debian 13 (Trixie). Applying the referenced patch solves the problem on this latest version.

Request

Would it be possible for libvirt upstream to integrate this patch so all distributions and users benefit from the fix natively? The solution is already shipping in Ubuntu, aligns with best practices for AppArmor integration, and restores essential blockcommit functionality without disabling AppArmor.

Please let me know if you need further details or want help testing on current Debian or other platforms.

Thank you for your attention to this!