I faced the same issue with libvirt / AppArmor while designing backup
solutions for our systems and found a possible solution.
Ubuntu carries (among many others) one relevant patch:
0031-virt-aa-helper-Ask-for-no-deny-rule-for-readonly-dis.patch
https://git.launchpad.net/ubuntu/+source/libvirt/tree/debian/patches/ubuntu-aa/0031-virt-aa-helper-Ask-for-no-deny-rule-for-readonly-dis.patch
I ported the Ubuntu Focal patch back to libvirt v5 and blockcommit works
for me on Buster with AppArmor enabled / enforcing.
Bullseye should work the same with the patch from Ubuntu Hirsute (v7).
If I can help test this by providing source / binary packages or a
Docker build environment please let me know.
--
Fabian Zaremba
Cooperative Student Computer Science
Division Research & Development
Konrad GmbH — Fritz-Reichle-Ring 12 — D-78315 Radolfzell
www.konrad-technologies.com
Geschäftsleitung: Michael Konrad
Handelsregisternr: HRB 550593 in Freiburg
Ust-Id-Nr. DE 206693267
From: Serge Hallyn <serge.hal...@ubuntu.com>
Date: Wed, 10 May 2017 15:16:30 +0200
Subject: [PATCH 31/33] virt-aa-helper: Ask for no deny rule for readonly disk
elements
Just because a disk element only requests read access doesn't mean
there may not be another readwrite request.
Using 'R' when creating the apparmor rule will prevent an implicit
write-deny rule to be created alongside. This does not mean write
is allowed but it would cause a denial message and probably more
relevant, allows to add write access later.
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1554031
Review note: Investigate whether instead of dropping explicit deny
write it would be possible to create explicit blockcommit rules
(LP: #1692441).
Forwarded: no (part of continuous upstreaming effort)
Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonical.com>
Signed-off-by: Stefan Bader <stefan.ba...@canonical.com>
Index: libvirt-5.0.0/src/security/virt-aa-helper.c
===================================================================
--- libvirt-5.0.0.orig/src/security/virt-aa-helper.c
+++ libvirt-5.0.0/src/security/virt-aa-helper.c
@@ -917,11 +917,11 @@ add_file_path(virDomainDiskDefPtr disk,
if (depth == 0) {
if (disk->src->readonly)
- ret = vah_add_file(buf, path, "rk");
+ ret = vah_add_file(buf, path, "Rk");
else
ret = vah_add_file(buf, path, "rwk");
} else {
- ret = vah_add_file(buf, path, "rk");
+ ret = vah_add_file(buf, path, "Rk");
}
if (ret != 0)
From df20057fd2774cd61d86a6f0a7f05a545e1bd862 Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge.hal...@ubuntu.com>
Date: Wed, 10 May 2017 15:16:30 +0200
Subject: [PATCH 31/33] virt-aa-helper: Ask for no deny rule for readonly disk
elements
Just because a disk element only requests read access doesn't mean
there may not be another readwrite request.
Using 'R' when creating the apparmor rule will prevent an implicit
write-deny rule to be created alongside. This does not mean write
is allowed but it would cause a denial message and probably more
relevant, allows to add write access later.
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1554031
Review note: Investigate whether instead of dropping explicit deny
write it would be possible to create explicit blockcommit rules
(LP: #1692441).
Forwarded: no (part of continuous upstreaming effort)
Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonical.com>
Signed-off-by: Stefan Bader <stefan.ba...@canonical.com>
---
src/security/virt-aa-helper.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -883,11 +883,11 @@ add_file_path(virStorageSourcePtr src,
if (depth == 0) {
if (src->readonly)
- ret = vah_add_file(buf, src->path, "rk");
+ ret = vah_add_file(buf, src->path, "Rk");
else
ret = vah_add_file(buf, src->path, "rwk");
} else {
- ret = vah_add_file(buf, src->path, "rk");
+ ret = vah_add_file(buf, src->path, "Rk");
}
if (ret != 0)
