Hello, Am Samstag, 30. Juli 2016, 14:06:48 CEST schrieb intrigeri: > Guido Günther: > > /sbin/apparmor_parser -r > > /etc/apparmor.d/libvirt/libvirt-a9287b6e-ca06-42fe-b1a2-06830752 > > 843a > > virsh qemu-monitor-command wheezy --pretty --cmd > > '{"execute":"human-monitor-command","arguments":{"command-line": > > "drive_add dummy file=/var/li > AFAIK an already running process is not affected by changes to its > AppArmor profile, as "Profiles are applied to a process at exec(3) > time" (apparmor(7)). > > So I don't see how we can make virsh attach-disk work under AppArmor > without either rebooting the guest to take into account the updated > profile, or extending the profile in advance (so that it allows access > to all disks that one may want to attach later to a domain). > > > I have also observed that aa-{disable,complain} dont affect running > > VMs but this might just an omission in the documentation. > > I think this is somewhat documented in the manpage as quoted above.
I think you are misreading the documentation here ;-) "Profiles are applied to a process at exec(3) time" (apparmor(7)) means: If you start a process unconfined (without an AppArmor profile) and load a profile later, that process will stay unconfined (unless exec(3) gets called). Also if you unload a profile and then load it again, running processes will become and stay unconfined. OTOH, if you already have a profile loaded, start a process and then reload the modified profile, it will be applied instantly. Note that there were bugs both in apparmor_parser and the kernel that broke reload and could cause the problem you described. So please check if Debian has the fixes in apparmor_parser (likely, because this was fixed a while ago) and the kernel (less likely because that patch is quite new). If in doubt, John should be able to point you to the relevant patches. Regards, Christian Boltz -- > ich übenehme dann freiwillig die Rolle des Dussels des Tages. Ne ne mein Freund, den Titel lasse ich mir nicht nehmen, mit meiner DSL-Geschichte... Dusseliger kann man sich nicht anstellen... [> Ralf Prengel und Dieter Soost in suse-linux]
signature.asc
Description: This is a digitally signed message part.