From nobody Mon Feb  2 09:27:43 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass(p=reject dis=none)  header.from=lists.libvirt.org
ARC-Seal: i=1; a=rsa-sha256; t=1767645600; cv=none;
	d=zohomail.com; s=zohoarc;
	b=k83L4Q0i5roKAsNEmMRr9WQVxaqCuN82DyNRe6aiyKZhyBsTJjkZk4Gfy3317jHYkQLSDCMALQwth1gdwe+s8nahy8tYJWZX9fN9vwYazbWMKPLsSgNSasgskWDCJnhRkTQbaeYDgDOAG/DdZhdEM27thCdGHH2y2AvNCilYiRI=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1767645600;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id;
	bh=b6ef6Sr1Iiv1X1zTR7eZgyetTg2EhuW5S1qVkhykDR8=;
	b=bBgVJTKqG/BX3zWOEjcnEyzJaqmXcJ8l4OreC0lRu7QG6E2Vp1aW6M+UU+GJNj1tB35GtFTouBCLV0F9mVviPUB1i5dTXvOY8AndKsCp9yOYHA5AJU3Vlmfe6JShaWs981/mMeWo6TslBjx5NYzS+YAJ1NjfBUq7W1oaWfOy4Po=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass header.from=<devel@lists.libvirt.org> (p=reject dis=none)
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1767645600128839.6247302382383;
 Mon, 5 Jan 2026 12:40:00 -0800 (PST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 385BF4193C; Mon,  5 Jan 2026 15:39:59 -0500 (EST)
Received: from [172.19.199.83] (lists.libvirt.org [8.43.85.245])
	by lists.libvirt.org (Postfix) with ESMTP id 3782541B06;
	Mon,  5 Jan 2026 15:38:48 -0500 (EST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id C056B41943; Mon,  5 Jan 2026 15:33:53 -0500 (EST)
Received: from smtp-relay-internal-0.canonical.com
 (smtp-relay-internal-0.canonical.com [185.125.188.122])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (3072 bits))
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id 6DB8C4192F
	for <devel@lists.libvirt.org>; Mon,  5 Jan 2026 15:33:51 -0500 (EST)
Received: from mail-yx1-f69.google.com (mail-yx1-f69.google.com
 [74.125.224.69])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 66DAB3FB62
	for <devel@lists.libvirt.org>; Mon,  5 Jan 2026 20:28:43 +0000 (UTC)
Received: by mail-yx1-f69.google.com with SMTP id
 956f58d0204a3-6465127b44fso744160d50.0
        for <devel@lists.libvirt.org>; Mon, 05 Jan 2026 12:28:43 -0800 (PST)
Received: from r.lxd ([147.219.77.79])
        by smtp.gmail.com with ESMTPSA id
 00721157ae682-790aa57deacsm65117b3.20.2026.01.05.12.28.40
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 05 Jan 2026 12:28:41 -0800 (PST)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.7 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_BL_SPAMCOP_NET,
	RCVD_IN_DNSWL_MED,RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,
	RCVD_IN_VALIDITY_RPBL_BLOCKED,RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS
	autolearn=unavailable autolearn_force=no version=4.0.1
X-Greylist: delayed 308 seconds by postgrey-1.37 at lists.libvirt.org;
 Mon, 05 Jan 2026 15:33:51 EST
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;
	s=20251003; t=1767644923;
	bh=b6ef6Sr1Iiv1X1zTR7eZgyetTg2EhuW5S1qVkhykDR8=;
	h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References:
	 In-Reply-To:To:Cc;
	b=SaKed7qqIT521NNFqMu51Hnj8cX2e18EgOKXRcalDvWwvUmfsXc+6Qu23O6rJ6Kzy
	 6Ih96zI8WQgdtq9+OFRn1URSOhSonRopKi5xi3yitq8HAIOROalhTnAFhJ3t5IgHhm
	 jW4XoCktsiUS/CPulLv2aIkQ1NseqSyzjORGj+WlAv/9uf9va4JkH5M0wM8OTClN94
	 MxbdsuFSJdIBPocj+jIge8l/xJYVIUBPMZE8nYjhT3AWqP4NS1Q+ytck9uBxstPpIT
	 JFYbubuWhoCEfFBkFT2UEDie0u/YqaQfgtn7WY0+B1mvhs5/UR2DKgXMgycNrW3ltx
	 305GOr6EStZCAkaJ7JQ02yAbPuNFJtmjFwED7PZxS/ASt4qCuvesadHV5ECR8LPBB8
	 IPrcG66qVhPhVo2PHYYnzi0Xgt1D4CYlaDAqlRpEucxaaEasi2vnpWDqBR+i649SWu
	 X/ohWSrA+BO4zZFPi27YOeKOhAlYHDP9TnB8W0+7Ty0lLytkkX5UD5sCyXPrXS4R6+
	 icRLIeN/3OrSoLtAESC4u8VvUCGjdnpf9zhsSNZDmT5ZNXivYDpEsEbzzcsIptFxkH
	 tUppdcT9BK+rBaHY8IgKBCdzCT8iveE5hZfqleZRX3geB3k7/yxe9Aw/LsiPmCMAxo
	 vqBN0dK4ij6/vgSb5SajlWFw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1767644922; x=1768249722;
        h=cc:to:in-reply-to:references:message-id:content-transfer-encoding
         :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=b6ef6Sr1Iiv1X1zTR7eZgyetTg2EhuW5S1qVkhykDR8=;
        b=obKZuqr/uRdfGGd3bJ+ilTHkb2h1iMUM66DgL6Z9i2pNlZHAJtYJ4t21pnW+OgmGFe
         axpO+rldZHac8Y3wJRfe1bSg6D6Ld22X4aRabtM2q4lQcMWCCYRSdYmAUYP0btfg/vUH
         naK801bKXzRd8qLJRVFwRHLpIdiYUj6atpuoRfBYEI30XT8ApDUo/WExDr5/lb42h4ZJ
         qa5bTRzgr+jLLb1sI55t+RmNb/PG9OnFr2Hhp0R43/IDPJoRRpUw072djbP8/ek3CoiO
         0BjU3Rnb+Qxfb9ZAmJVVad7REhpA1QOlAqokOaiWL63CCJw5B900/iHT6QaVfIK62pYN
         4ViA==
X-Gm-Message-State: AOJu0Yw6DDk7qMfzEq6Q3U5ugKAFPfCBW4Ax8mfQdYOuo0sCv2ftK6Jj
	USjIN2fEbY71HJ1DPhmFTo/xG2ia0Yyz7Wx+Oo4qacTlIFGGeu9z1p6a4z2/n1orASo426zQJqb
	Tx1PvsytUExDIX2ItCvUBjoDhKqtdaGMWVaTgK3yJ0sdk8vVf8426Yv+DSDH85sE1nZo/8XS+0x
	GAC7cVF0g=
X-Gm-Gg: AY/fxX7ac8is/zjJ3HSXS8Exp3AWzjH+lpUW0bwinLjMuvkrfkAVmEzq6PyJl+vTdc2
	FUhlY8lntTtuobAcmfh2CTR4+viHZw5CyvKMtQJZFCwV5Rkcy/rFpARa/JpoPBt2iR8XHBw1rMv
	xirlndK30T5GtzqrwVRx5NbFsCr4nlf9dbtB/gx2JRxj0M88zDpEp9ZOVBS6VVDhEGMkWNapxqp
	9KLmQCEEJ0fYv9A8SdSAc7UcLm9mAaYVNNrboL9kCaGuHsfpe57bjTA7CdFxrpyM/Kv4HXxzbz9
	OIykbbLtcWDI3L6RIWvka++xErplm63j9DNjnu6m1j/Xc3IXZVsMcCLYLZXI6gK5eBRs6auSvYL
	LuaXmtC1wRxdWXZ0d
X-Received: by 2002:a05:690e:1686:b0:644:44d2:a9cc with SMTP id
 956f58d0204a3-6470d25adb8mr352122d50.7.1767644922197;
        Mon, 05 Jan 2026 12:28:42 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IGlQezV0958AZGBgVi+s42kpRvH8vHEaAxXEQzV+/C7mei6R/zr6LRiQaj0dkCl5SEOuohERg==
X-Received: by 2002:a05:690e:1686:b0:644:44d2:a9cc with SMTP id
 956f58d0204a3-6470d25adb8mr352113d50.7.1767644921845;
        Mon, 05 Jan 2026 12:28:41 -0800 (PST)
Date: Mon, 05 Jan 2026 14:27:21 -0600
Subject: [PATCH 1/3] virt-aa-helper: Ask for no deny rule for readonly disk
 elements
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <20260105-apparmor-races-v1-1-932cf0e990b7@canonical.com>
References: <20260105-apparmor-races-v1-0-932cf0e990b7@canonical.com>
In-Reply-To: <20260105-apparmor-races-v1-0-932cf0e990b7@canonical.com>
To: devel@lists.libvirt.org
X-Mailer: b4 0.14.3
X-Developer-Signature: v=1; a=openpgp-sha256; l=1449;
 i=wesley.hershberger@canonical.com; h=from:subject:message-id;
 bh=yFNNLmjNehCooP3I0EPzhGnpyJyZYCBQKljUMERA1Og=;
 b=owEB7QES/pANAwAKAfkogKziOh25AcsmYgBpXB72EMUC3Gmr+/bGYKVwWIEumX+3tWAfRNKch
 n9AJsL+KlmJAbMEAAEKAB0WIQQsIHxFLwpehxEbQ8r5KICs4joduQUCaVwe9gAKCRD5KICs4jod
 uZETDACve1MZUQJNUd+SJJdyn3iQVtcNgyVRO69EGOWKCpbqsNwDIC/hHgOEzdHcNJvcZo/QVBo
 JbOTUfnpXVW4MsITZ54Tqb/iCGQ42oWvobvQUD9D5OeNXSrSO6xFB7BcZMXClCWp3K0VzIV6Bz8
 oYvd9XiumswpIXTo2k15m9SQ/ia9+zN8EEKxdn3ubpLtaVJdj5cgdJW0bVukUQXmpbCpm2t6f3p
 QSmgb4dM9hWPuzrmWYxYxRTMUZ+rlJUd/7y/7U5Mwzq0gFK5uY7KRY41llj0pY5dvO3wLVPAk8l
 1/i/LI30Nc//t2h/b+V5v9cz5lbeDZ3Z2GZDbqjZ8k2kC0HqNW5l0t148Y6TFVskjVyO5Jva4xj
 2ujqu6PAEFsRW9m81iHEd9cHLAYI9D9U7Ai42jqMcpowqY5iM5hnghiACEtKTMBDJyeebs/D9Dp
 bB0KnI5kuY7tXCVv3uTo/EN7LO7676sSobaE8exT22Po4ycpJHXWp8CSdp4d55d/FeSro=
X-Developer-Key: i=wesley.hershberger@canonical.com; a=openpgp;
 fpr=2C207C452F0A5E87111B43CAF92880ACE23A1DB9
Message-ID-Hash: SWMTF6FNDKR7NK5EXVGK6PP2PIUKDI4U
X-Message-ID-Hash: SWMTF6FNDKR7NK5EXVGK6PP2PIUKDI4U
X-MailFrom: wesley.hershberger@canonical.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-devel.lists.libvirt.org-0; emergency;
 member-moderation; nonmember-moderation; administrivia; implicit-dest;
 max-recipients; max-size; news-moderation; no-subject; digests;
 suspicious-header
CC: wesley.hershberger@canonical.com, georgia.garcia@canonical.com,
 hector.cao@canonical.com
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: <>
List-Archive: <>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Owner: <mailto:devel-owner@lists.libvirt.org>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
From: Wesley Hershberger via Devel <devel@lists.libvirt.org>
Reply-To: Wesley Hershberger <wesley.hershberger@canonical.com>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1767645604490158500

From: Serge Hallyn <serge.hallyn@ubuntu.com>

Just because a disk element only requests read access doesn't mean
there may not be another readwrite request.

Using 'R' when creating the apparmor rule will prevent an implicit
write-deny rule to be created alongside. This does not mean write
is allowed but it would cause a denial message and probably more
relevant, allows to add write access later.

Resolves: #622
Resolves: #806
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1554031
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1692441
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
Signed-off-by: Wesley Hershberger <wesley.hershberger@canonical.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
---
 src/security/virt-aa-helper.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index de0a826063..9598b95432 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -835,11 +835,11 @@ add_file_path(virStorageSource *src,
=20
     if (depth =3D=3D 0) {
         if (src->readonly)
-            ret =3D vah_add_file(buf, src->path, "rk");
+            ret =3D vah_add_file(buf, src->path, "Rk");
         else
             ret =3D vah_add_file(buf, src->path, "rwk");
     } else {
-        ret =3D vah_add_file(buf, src->path, "rk");
+        ret =3D vah_add_file(buf, src->path, "Rk");
     }
=20
     if (ret !=3D 0)

--=20
2.51.0