This is the failing function
221 /* returns -1 on error or profile for libvirtd is unconfined, 0 if
complain
222 * mode and 1 if enforcing. This is required because at present you cannot
223 * aa_change_profile() from a process that is unconfined.
224 */
225 static int
226 use_apparmor(void)
227 {
228 int rc = -1;
229 char *libvirt_daemon = NULL;
230
231 if (virFileResolveLink("/proc/self/exe", &libvirt_daemon) < 0) {
232 virReportError(VIR_ERR_INTERNAL_ERROR,
233 "%s", _("could not find libvirtd"));
234 return rc;
235 }
236
237 /* If libvirt_lxc is calling us, then consider apparmor is used
238 * and enforced. */
239 if (strstr(libvirt_daemon, "libvirt_lxc"))
240 return 1;
241
242 if (access(APPARMOR_PROFILES_PATH, R_OK) != 0)
243 goto cleanup;
244
245 /* First check profile status using full binary path. If that fails
246 * check using profile name.
247 */
248 rc = profile_status(libvirt_daemon, 1);
249 if (rc < 0) {
250 rc = profile_status("libvirtd", 1);
251 /* Error or unconfined should all result in -1 */
252 if (rc < 0)
253 rc = -1;
254 }
255
256 cleanup:
257 VIR_FREE(libvirt_daemon);
258 return rc;
259 }
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1895967
Title:
3.0.0~beta1-0ubuntu1 in Groovy breaks Libvirt/Qemu/KVM
Status in apparmor package in Ubuntu:
Incomplete
Bug description:
Hi,
I stumbled over this due to automatic tests checking proposed.
I found that Focal no more could migrate to Groovy with:
$ virsh migrate --unsafe --live fguest qemu+ssh://10.162.30.163/system
error: unsupported configuration: Security driver model 'apparmor' is not
available
I looked after it and found that while all former releases detected
apparmor correctly:
$ virsh capabilities | grep -C 3 secmodel
<cache>
<bank id='0' level='3' type='both' size='15' unit='MiB' cpus='0-11'/>
</cache>
<secmodel>
<model>apparmor</model>
<doi>0</doi>
</secmodel>
<secmodel>
<model>dac</model>
<doi>0</doi>
<baselabel type='kvm'>+64055:+108</baselabel>
<baselabel type='qemu'>+64055:+108</baselabel>
</secmodel>
Now on groovy that didn't work anymore:
<secmodel>
<model>none</model>
<doi>0</doi>
</secmodel>
<secmodel>
<model>dac</model>
<doi>0</doi>
<baselabel type='kvm'>+64055:+108</baselabel>
<baselabel type='qemu'>+64055:+108</baselabel>
</secmodel>
Since 3.0 is only in proposed:
# apt-cache policy apparmor
apparmor:
Installed: 2.13.3-7ubuntu6
Candidate: 3.0.0~beta1-0ubuntu1
Version table:
3.0.0~beta1-0ubuntu1 500
500 http://archive.ubuntu.com/ubuntu groovy-proposed/main amd64
Packages
*** 2.13.3-7ubuntu6 500
500 http://archive.ubuntu.com/ubuntu groovy/main amd64 Packages
100 /var/lib/dpkg/status
I installed the former version.
$ apt install apparmor=2.13.3-7ubuntu6
$ rm /var/cache/libvirt/qemu/capabilities/*
$ systemctl restart libvirtd
And it works again.
Interestingly going back to 3.0 then works and keeps working.
Therefore maybe it is a red-herring and I'll consider it incomplete & low
prio for now until I know more (allowing others that might see the same to find
this bug and chime in).
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1895967/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
