[pkg-apparmor] Bug#805002: Bug#805002: libvirt-client: "virsh attach-disk" fails with AppArmor enabled

Sun Jul 31 10:40:48 UTC 2016

On 07/30/2016 07:54 AM, intrigeri wrote:
> Hi,
> 
> Christian Boltz:
>> I think you are misreading the documentation here ;-)
> 
> I suspect it might be easier to improve the documentation,
> than to fix all people who would "misread" it.
> 
> (Sorry I did not find this funny.)
> 
>> OTOH, if you already have a profile loaded, start a process and then 
>> reload the modified profile, it will be applied instantly.
> 
> Thanks!
> 
>> Note that there were bugs both in apparmor_parser and the kernel that 
>> broke reload and could cause the problem you described. So please check 
>> if Debian has the fixes in apparmor_parser (likely, because this was fixed 
>> a while ago) and the kernel (less likely because that patch is quite 
>> new). If in doubt, John should be able to point you to the relevant 
>> patches.
> 
> Good to know! Indeed, I have no clue what kernel patch you're
> referring to ⇒ John, can you please point me to it? Is it part of the
> pull request for 4.8? Thanks in advance!
> 
Yes, and also available in the 4.8 fixes backports I did for 4.4 - 4.7 (I
haven't had time to backport further yet).

git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor
v4.4-aa2.8-out-of-tree
v4.5-aa2.8-out-of-tree
v4.6-aa2.8-out-of-tree
v4.7-aa2.8-out-of-tree

once the 4.8 request gets merged I can look at submitting to stable.

the specific patch for this issue is
In linux security/next
  ec34fa2 apparmor: fix replacement bug that adds new child to old parent

v4.4-aa2.8-out-of-tree
  b02fdc2 apparmor: fix replacement bug that adds new child to old parent

The kernel side messes up in the specific case of a profile already existing
and the replacement adds new hats.

The userspace fix is rev 3440 in the userspace main branch (lp:apparmor)