diff -Nru libvirt-6.0.0/debian/changelog libvirt-6.0.0/debian/changelog
--- libvirt-6.0.0/debian/changelog	2020-04-18 03:59:21.000000000 +0000
+++ libvirt-6.0.0/debian/changelog	2020-05-20 04:59:57.000000000 +0000
@@ -1,3 +1,10 @@
+libvirt (6.0.0-0ubuntu9) groovy; urgency=medium
+
+  * d/p/ubuntu/lp-1879325-*: avoid issues with apparmor metadata labeling
+    (LP: #1879325)
+
+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Wed, 20 May 2020 06:59:57 +0200
+
 libvirt (6.0.0-0ubuntu8) focal; urgency=medium
 
   * d/control, d/rules: Disable rbd and zfs on riscv64 where they are
diff -Nru libvirt-6.0.0/debian/patches/series libvirt-6.0.0/debian/patches/series
--- libvirt-6.0.0/debian/patches/series	2020-04-16 07:47:29.000000000 +0000
+++ libvirt-6.0.0/debian/patches/series	2020-05-20 04:59:57.000000000 +0000
@@ -80,3 +80,5 @@
 ubuntu/lp-1868528-util-virhostcpu-Fail-when-fetching-CPU-Stats-for-inv.patch
 ubuntu-aa/lp-1871354-apparmor-avoid-denials-on-libpmem-initialization.patch
 ubuntu/CVE-CVE-2020-10701-api-disallow-virDomainAgentSetResponseTimeout-on-rea.patch
+ubuntu/lp-1879325-Don-t-require-secdrivers-to-implement-.domainMoveIma.patch
+ubuntu/lp-1879325-security-don-t-fail-if-built-without-attr-support.patch
diff -Nru libvirt-6.0.0/debian/patches/ubuntu/lp-1879325-Don-t-require-secdrivers-to-implement-.domainMoveIma.patch libvirt-6.0.0/debian/patches/ubuntu/lp-1879325-Don-t-require-secdrivers-to-implement-.domainMoveIma.patch
--- libvirt-6.0.0/debian/patches/ubuntu/lp-1879325-Don-t-require-secdrivers-to-implement-.domainMoveIma.patch	1970-01-01 00:00:00.000000000 +0000
+++ libvirt-6.0.0/debian/patches/ubuntu/lp-1879325-Don-t-require-secdrivers-to-implement-.domainMoveIma.patch	2020-05-20 04:59:57.000000000 +0000
@@ -0,0 +1,44 @@
+From cc8c297e473afd55e5d8e35e18345d8df176059d Mon Sep 17 00:00:00 2001
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Mon, 18 May 2020 10:07:30 +0200
+Subject: [PATCH] Don't require secdrivers to implement
+ .domainMoveImageMetadata
+
+The AppArmor secdriver does not use labels to grant access to
+resources. Therefore, it doesn't use XATTRs and hence it lacks
+implementation of .domainMoveImageMetadata callback. This leads
+to a harmless but needless error message appearing in the logs:
+
+  virSecurityManagerMoveImageMetadata:476 : this function is not
+  supported by the connection driver: virSecurityManagerMoveImageMetadata
+
+Closes: https://gitlab.com/libvirt/libvirt/-/issues/25
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Erik Skultety <eskultet@redhat.com>
+
+Origin: upstream, https://libvirt.org/git/?p=libvirt.git;a=commit;h=cc8c297e473afd55e5d8e35e18345d
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1879325
+Last-Update: 2020-05-20
+
+---
+ src/security/security_manager.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/src/security/security_manager.c b/src/security/security_manager.c
+index 2dea294784..b1237d63b6 100644
+--- a/src/security/security_manager.c
++++ b/src/security/security_manager.c
+@@ -473,8 +473,7 @@ virSecurityManagerMoveImageMetadata(virSecurityManagerPtr mgr,
+         return ret;
+     }
+ 
+-    virReportUnsupportedError();
+-    return -1;
++    return 0;
+ }
+ 
+ 
+-- 
+2.26.0
+
diff -Nru libvirt-6.0.0/debian/patches/ubuntu/lp-1879325-security-don-t-fail-if-built-without-attr-support.patch libvirt-6.0.0/debian/patches/ubuntu/lp-1879325-security-don-t-fail-if-built-without-attr-support.patch
--- libvirt-6.0.0/debian/patches/ubuntu/lp-1879325-security-don-t-fail-if-built-without-attr-support.patch	1970-01-01 00:00:00.000000000 +0000
+++ libvirt-6.0.0/debian/patches/ubuntu/lp-1879325-security-don-t-fail-if-built-without-attr-support.patch	2020-05-20 04:59:57.000000000 +0000
@@ -0,0 +1,77 @@
+From 55029d93150e33d70b02b6de2b899c05054c5d3a Mon Sep 17 00:00:00 2001
+From: Christian Ehrhardt <christian.ehrhardt@canonical.com>
+Date: Tue, 26 May 2020 09:33:38 +0200
+Subject: [PATCH] security: don't fail if built without attr support
+
+If built without attr support removing any image will trigger
+ qemuBlockRemoveImageMetadata (the one that emits the warning)
+   -> qemuSecurityMoveImageMetadata
+     -> virSecurityManagerMoveImageMetadata
+       -> virSecurityDACMoveImageMetadata
+         -> virSecurityDACMoveImageMetadataHelper
+           -> virProcessRunInFork (spawns subprocess)
+             -> virSecurityMoveRememberedLabel
+
+In there due to !HAVE_LIBATTR virFileGetXAttrQuiet will return
+ENOSYS and from there the chain will error out.
+
+That is wrong and looks like:
+  libvirtd[6320]: internal error: child reported (status=125):
+  libvirtd[6320]: Unable to remove disk metadata on vm testguest from
+  /var/lib/uvtool/libvirt/images/testguest.qcow (disk target vda)
+
+This change makes virSecurityDACMoveImageMetadataHelper and
+virSecuritySELinuxMoveImageMetadataHelper accept that
+error code gracefully and in that sense it is an extension of:
+5214b2f1a3f "security: Don't skip label restore on file systems lacking XATTRs"
+which does the same for other call chains into the virFile*XAttr functions.
+
+Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
+Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
+
+Origin: upstream, https://libvirt.org/git/?p=libvirt.git;a=commit;h=55029d93150e33d70b02b6de2b899c05054c5d3a
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1879325
+Last-Update: 2020-05-27
+
+---
+ src/security/security_dac.c     | 6 ++++++
+ src/security/security_selinux.c | 6 ++++++
+ 2 files changed, 12 insertions(+)
+
+diff --git a/src/security/security_dac.c b/src/security/security_dac.c
+index bdc2d7edf3..7b95a6f86d 100644
+--- a/src/security/security_dac.c
++++ b/src/security/security_dac.c
+@@ -1117,6 +1117,12 @@ virSecurityDACMoveImageMetadataHelper(pid_t pid G_GNUC_UNUSED,
+ 
+     ret = virSecurityMoveRememberedLabel(SECURITY_DAC_NAME, data->src, data->dst);
+     virSecurityManagerMetadataUnlock(data->mgr, &state);
++
++    if (ret == -2) {
++        /* Libvirt built without XATTRS */
++        ret = 0;
++    }
++
+     return ret;
+ }
+ 
+diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
+index 9a929debe1..7bb7c2b7b1 100644
+--- a/src/security/security_selinux.c
++++ b/src/security/security_selinux.c
+@@ -1975,6 +1975,12 @@ virSecuritySELinuxMoveImageMetadataHelper(pid_t pid G_GNUC_UNUSED,
+ 
+     ret = virSecurityMoveRememberedLabel(SECURITY_SELINUX_NAME, data->src, data->dst);
+     virSecurityManagerMetadataUnlock(data->mgr, &state);
++
++    if (ret == -2) {
++        /* Libvirt built without XATTRS */
++        ret = 0;
++    }
++
+     return ret;
+ }
+ 
+-- 
+2.26.0
+