On Thu, Aug 16, 2018 at 23:03:40 +0300, Povilas Kanapickas wrote: > On 16/08/2018 10:38, Peter Krempa wrote: > > To fix this you should record the backing format  into your overlay > > image. If we'd relax the code we'd face the regression in the security > > fix we've done. > > > >  qemu-img creage -f qcow2 -F qcow2 -b backing-qcow2 overlay.qcow2 > > > > -F option specifies the format of the backing file > > > > Thanks a lot for your explanation, now I see that my proposal does not > make any sense. Your suggestion works fine and virt-aa-helper produces > correct output. > > Do you think this situation should ideally be diagnosed by higher-level > tools such as virt-manager which right now emit a generic permission > denied error? The current way things are implemented is that we don't even try to probe the type of the backing file if the format is not specified so the libvirt code is not sure whether the backing image is raw or not. We certainly can propagate the fact inside libvirt but we can't fail startup of the VM in such case since the image might have been raw in fact which would be safe to do and the VM will start. Reporting warnings is generally possible but they end up in the logs only which is not entirely obvious. In case of virt-manager it's not as easy. virt-manager needs to be able to operate on remote connections (thus not be able to inspect the files present locally if they are not present in a libvirt storage pool) this means that since it will not get an error from libvirt and is not able to inspect the files it's hard to implement such a warning. > Maybe virt-aa-helper could also emit a comment into the apparmor profile > saying something like "image.img has a backing image xyz.img but it was > not probed because its format is not recorded into the overlay image"? As this is using libvirt's image detection code it may be possible to add a field in the virStorageSource structure where we note that the format was assumed as raw due to failed format detection. The virt-aa-helper then could print that message in such case. From libvirt's point of view the warning could be recorded in the VM log file. The problem still is that it may work in some cases. Or even the VM may start, but the contents of the disk will be corrupted. Currently we just don't allow qemu to use any of the backing files if the format detection has failed, but that does not mean that qemu will not attempt to open it as qcow2. On the other hand with the upcomming -blockdev work, we will be able to tell qemu to open the image as raw instead so the guest will most probably get garbled content.
Description: PGP signature