libvirt's security driver API offers several functions to restore the domain security labels these functions are called upon various events and one of them is the runtime removal of a hot-plug device.
in case of apparmor security driver, these functions call the helper /usr/lib/libvirt/virt-aa-helper to update the apparmor dynamic profile (generated at VM runtime): /usr/lib/libvirt/virt-aa-helper -r -u <UUID> (-r : replace) this will swipe out the current dynamic profile and generate a brand new one based on the VM domain definition that does not contains the hot- plug devices. as a consequence, the new profile does not contain any rule for the dynamic devices that the VM might still have. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2126574 Title: Fix AppArmor policy restore for runtime rules (upstream #692) To manage notifications about this bug go to: https://bugs.launchpad.net/libvirt/+bug/2126574/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
