I came up with this patch:
--- /etc/apparmor.d/abstractions/libvirt-qemu.orig 2022-01-22
18:22:57.000000000 +0000
+++ /etc/apparmor.d/abstractions/libvirt-qemu 2022-02-25 13:54:22.075405809
+0000
@@ -85,7 +85,7 @@
/usr/share/misc/sgabios.bin r,
/usr/share/openbios/** r,
/usr/share/openhackware/** r,
- /usr/share/OVMF/** r,
+ /usr/share/OVMF/** rk,
/usr/share/ovmf/** r,
/usr/share/proll/** r,
/usr/share/qemu-efi/** r,
@@ -249,5 +249,8 @@
/ r, # harmless on any lsb compliant system
/sys/bus/nd/devices/{,**/} r,
+ # required for QEMU accessing UEFI nvram variables
+ /**/nvram/*_VARS.fd rwk,
+
# Site-specific additions and overrides. See local/README for details.
#include <local/abstractions/libvirt-qemu>
After
systemctl reload apparmor.service; systemctl restart libvirtd
the reproducer works fine.
I'll send it to libvirt upstream now.
** Description changed:
# lsb_release -rd
Description: Ubuntu 21.10
Release: 21.10
Package: apparmor
Version: 3.0.3-0ubuntu1
Package: virtinst
Version: 1:3.2.0-3
When trying to re-install an existing VM with uefi boot set up using the
recently introduced `--reinstall` option apparmor makes the installation
fail with the following error:
Could not open '/var/lib/libvirt/qemu/nvram/test_VARS.fd': Permission
denied
Steps to reproduce:
Create a VM:
root@ubuntu:~# virt-install --connect qemu:///system --quiet --os-variant
fedora28 --memory 1024 --name test --wait -1 --disk size=1,format=qcow2
--print-xml 1 > /tmp/test1.xml
Edit the VM configuration to enable automatic UEFI boot by changing the
<os> like follows:
- <os>
+ <os firmware='efi'>
-
Define the VM:
root@ubuntu:~# virsh define /tmp/test1.xml
Start VM installation:
root@ubuntu:~# virt-install --connect qemu:///system --reinstall test --wait
-1 --noautoconsole --cdrom /var/lib/libvirt/novell.iso --autostart
WARNING No operating system detected, VM performance may suffer. Specify an
OS with --os-variant for optimal results.
Starting install...
ERROR internal error: process exited while connecting to monitor:
2022-02-23T18:56:54.738510Z qemu-system-x86_64: -blockdev
{"driver":"file","filename":"/var/lib/libvirt/qemu/nvram/test_VARS.fd","node-name":"libvirt-pflash1-storage","auto-read-only":true,"discard":"unmap"}:
Could not open '/var/lib/libvirt/qemu/nvram/test_VARS.fd': Permission denied
Domain installation does not appear to have been successful.
If it was, you can restart your domain by running:
- virsh --connect qemu:///system start test
+ virsh --connect qemu:///system start test
otherwise, please restart your installation.
-
Expected behavior:
VM installation will start without apparmor error.
Actual behavior:
- The above denial happens:
+ The above denials happen:
- Feb 23 18:56:54 ubuntu audit[4420]: AVC apparmor="DENIED"
- operation="open" profile="libvirt-bdd92fa6-6030-4980-951c-2a52ec7e406c"
- name="/var/lib/libvirt/qemu/nvram/test_VARS.fd" pid=4420 comm="qemu-
- system-x86" requested_mask="r" denied_m>
+ audit: type=1400 audit(1645796875.169:132): apparmor="DENIED"
+ operation="open" profile="libvirt-68567d5b-c2c1-4256-9931-ce675df2f9b0"
+ name="/var/lib/libvirt/qemu/nvram/test_VARS.fd" pid=4909 comm="qemu-
+ system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=64055
+
+ same thing later on for "k" (locking)
+
+ audit: type=1400 audit(1645796969.776:151): apparmor="DENIED"
+ operation="file_lock"
+ profile="libvirt-68567d5b-c2c1-4256-9931-ce675df2f9b0"
+ name="/usr/share/OVMF/OVMF_CODE_4M.secboot.fd" pid=5125 comm="qemu-
+ system-x86" requested_mask="k" denied_mask="k" fsuid=64055 ouid=0
+
and stop the installation.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1962035
Title:
apparmor blocks VM installation when automatic UEFI firmware is set
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1962035/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
