The 'virt-aa-helper' process gets a XML of the VM it needs to create a
profile for. For a disk type='volume' this XML contained only the
pool and volume name.

The 'virt-aa-helper' needs a local path though for anything it needs to
label. This means that we'd either need to invoke connection to the
storage driver and re-resolve the volume. Alternative which makes more
sense is to pass the proper data in the XML already passed to it via the
new XML formatter and parser flags.

This was indirectly reported upstream in
https://gitlab.com/libvirt/libvirt/-/issues/546

The configuration in the issue above was created by Cockpit on Debian.
Since Cockpit is getting more popular it's more likely that users will
be impacted by this problem.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
---
 src/security/security_apparmor.c | 8 ++++++--
 src/security/virt-aa-helper.c    | 3 ++-
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
index bce797de7c..6fd0aedacf 100644
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@@ -159,13 +159,17 @@ load_profile(virSecurityManager *mgr G_GNUC_UNUSED,
              bool append)
 {
     bool create = true;
+    g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
     g_autofree char *xml = NULL;
     g_autoptr(virCommand) cmd = NULL;

-    xml = virDomainDefFormat(def, NULL, VIR_DOMAIN_DEF_FORMAT_SECURE);
-    if (!xml)
+    if (virDomainDefFormatInternal(def, NULL, &buf,
+                                   VIR_DOMAIN_DEF_FORMAT_SECURE |
+                                   VIR_DOMAIN_DEF_FORMAT_VOLUME_TRANSLATED) < 0)
         return -1;

+    xml = virBufferContentAndReset(&buf);
+
     if (profile_status_file(profile) >= 0)
         create = false;

diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 0855eb68ca..be13979cef 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -654,7 +654,8 @@ get_definition(vahControl * ctl, const char *xmlStr)
     ctl->def = virDomainDefParseString(xmlStr,
                                        ctl->xmlopt, NULL,
                                        VIR_DOMAIN_DEF_PARSE_SKIP_SECLABEL |
-                                       VIR_DOMAIN_DEF_PARSE_SKIP_VALIDATE);
+                                       VIR_DOMAIN_DEF_PARSE_SKIP_VALIDATE |
+                                       VIR_DOMAIN_DEF_PARSE_VOLUME_TRANSLATED);

     if (ctl->def == NULL) {
         vah_error(ctl, 0, _("could not parse XML"));
-- 
2.41.0

On a Thursday in 2023, Peter Krempa wrote:
>The 'virt-aa-helper' process gets a XML of the VM it needs to create a
>profile for. For a disk type='volume' this XML contained only the
>pool and volume name.
>
>The 'virt-aa-helper' needs a local path though for anything it needs to
>label. This means that we'd either need to invoke connection to the
>storage driver and re-resolve the volume. Alternative which makes more
>sense is to pass the proper data in the XML already passed to it via the
>new XML formatter and parser flags.
>
>This was indirectly reported upstream in
>https://gitlab.com/libvirt/libvirt/-/issues/546
>
>The configuration in the issue above was created by Cockpit on Debian.
>Since Cockpit is getting more popular it's more likely that users will
>be impacted by this problem.
>
>Signed-off-by: Peter Krempa <pkrempa@redhat.com>
>---
> src/security/security_apparmor.c | 8 ++++++--
> src/security/virt-aa-helper.c    | 3 ++-
> 2 files changed, 8 insertions(+), 3 deletions(-)
>

Reviewed-by: Ján Tomko <jtomko@redhat.com>

Jano