[Bug 2079869] Re: qemu-bridge-helper needs apparmor to allow access to /sys/devices/system/node/

Wed, 12 Feb 2025 05:20:41 -0800 

** Description changed:

  This is a spinoff of bug #2079806.
  
  When using qemu:///session + qemu-bridge-helper, I see apparmor denials
  like the following:
  
  [  182.228244] audit: type=1400 audit(1725680469.378:136):
  apparmor="DENIED" operation="open" class="file"
  profile="libvirtd//qemu_bridge_helper" name="/sys/devices/system/node/"
  pid=1292 comm="qemu-bridge-hel" requested_mask="r" denied_mask="r"
  fsuid=0 ouid=0
  
  They don't prevent the tap interface from being created nor the VM from
  starting successfully, but it's something that we should probably
  address nevertheless.
  
  Quick & dirty way to test (inside a VM or a container with permissions):
  
  # apt install -y uvtool-libvirt
  # adduser ubuntu kvm
  # adduser ubuntu libvirt-qemu
  # su - ubuntu
  $ uvt-simplestreams-libvirt --verbose sync --source 
http://cloud-images.ubuntu.com/daily release=oracular arch=amd64 label=daily
  $ uvt-kvm create test release=oracular arch=amd64 label=daily --bridge=virbr0
  $ virsh destroy test
  $ virsh dumpxml test > a.xml
  $ virsh -c qemu:///session define a.xml
  $ virsh -c qemu:///session start test
  
- If you encounter a permission denied issue:
+ 1) If you encounter a permission denied issue:
  
  error: Failed to start domain 'test'
  error: Failed to open file '/var/lib/uvtool/libvirt/images/test-ds.qcow': 
Permission denied
  
  You can temporarily allow access to these files for ubuntu user by
  doing:
  
  sudo chmod a+rw /var/lib/uvtool/libvirt/images/*
+ 
+ 2) You will have also to set the SUID bit for /usr/lib/qemu/qemu-bridge-
+ helper to suppress the error : ... stderr=failed to create tun device:
+ Operation not permitted
+ 
+ 
+ sudo chmod u+s /usr/lib/qemu/qemu-bridge-helper

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2079869

Title:
  qemu-bridge-helper needs apparmor to allow access to
  /sys/devices/system/node/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/2079869/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to