We have been working on a feature at IBM cloud around snapshots. One of the workflows is to add a snapshoted disk to a running virtual instance. This involves adding a disk that has at minimum 2 qcow2 files, one for the active overlay and one or more backing files. The problem we are running into is that they dynamic update of the apparmor profile appears to only add the first file in the chain to the profile. It based on some experiments it appears that this should be adding all the files to the security profile but this seems to only do the first (topmost) file. "disk->src" https://gitlab.com/libvirt/libvirt/-/blob/a7db0b757d210071d39e6d116e6a4bc761e2ed66/src/qemu/qemu_hotplug.c#L695 I does not appear to loop over the disks where as qemuBlockStorageSourceChainAttach does https://gitlab.com/libvirt/libvirt/-/blob/a7db0b757d210071d39e6d116e6a4bc761e2ed66/src/qemu/qemu_block.c#L1919 The attached disk then fails since apparmor will reject the backing files access. This is fairly easy to demonstrate when apparmor is active. <disk type='file' device='disk'> <driver name='qemu' type='qcow2'/> <source file='/mnt2/hotplug2.qcow2' index='1'/> <backingStore type='file' index='2'> <format type='qcow2'/> <source file='/mnt2/hotplug1.qcow2'/> <backingStore/> </backingStore> <target dev='vdc' bus='virtio'/> </disk> virsh attach-device test1 /mnt2/attach.xml [535657.524784] audit: type=1400 audit(1608242451.762:79): apparmor="DENIED" operation="open" profile="libvirt-a7fd0ca2-1429-4a60-9ab4-a545660666ce" name="/mnt2/hotplug1.qcow2" pid=11999 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=64055 -Russell Cattelan
