Bug#1081396: marked as done (libvirt-daemon: AppArmor support for QEMU domains is (mostly silently) disabled unless libvirt-daemon-driver-lxc is installed)

[Debian Bug Tracking System]

Your message dated Tue, 17 Sep 2024 21:06:28 +0000
with message-id <e1sqfp2-004yp1...@fasolo.debian.org>
and subject line Bug#1081396: fixed in libvirt 10.7.0-3
has caused the Debian Bug report #1081396,
regarding libvirt-daemon: AppArmor support for QEMU domains is (mostly 
silently) disabled unless libvirt-daemon-driver-lxc is installed
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1081396: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1081396
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: libvirt-daemon
Version: 10.7.0-2
Severity: normal

If libvirt-daemon-driver-lxc is not installed, libvirtd logs this on startup:

  libvirtd[2085]: internal error: template 
'/etc/apparmor.d/libvirt/TEMPLATE.lxc' does not exist

… and then apparently the logic to generate AppArmor profiles for QEMU VMs and
enforce them is disabled. That was not obvious to me: I thought "OK, I don't
have the LXC driver installed, so sure that file is missing, it's fine" and did
not guess this would break a previously working security feature.

I'm under the impression that this breakage happened recently, because just
a few weeks ago I had AppArmor denials break stuff for 1 of my VMs, so it must
have been working back then.

-- System Information:
Debian Release: trixie/sid
  APT prefers unstable
  APT policy: (990, 'unstable'), (2, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 6.10.9-amd64 (SMP w/12 CPU threads; PREEMPT)
Kernel taint flags: TAINT_USER
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libvirt-daemon depends on:
ii  libc6                  2.40-2
ii  libgcc-s1              14.2.0-4
ii  libglib2.0-0t64        2.82.0-1
ii  libtirpc3t64           1.3.4+ds-1.3
ii  libvirt-common         10.7.0-2
ii  libvirt-daemon-common  10.7.0-2
ii  libvirt0               10.7.0-2
ii  libxml2                2.12.7+dfsg-3+b1
ii  logrotate              3.22.0-1

Versions of packages libvirt-daemon recommends:
ii  libvirt-daemon-driver-interface        10.7.0-2
ii  libvirt-daemon-driver-lxc              10.7.0-2
ii  libvirt-daemon-driver-network          10.7.0-2
ii  libvirt-daemon-driver-nodedev          10.7.0-2
ii  libvirt-daemon-driver-nwfilter         10.7.0-2
ii  libvirt-daemon-driver-qemu             10.7.0-2
ii  libvirt-daemon-driver-secret           10.7.0-2
ii  libvirt-daemon-driver-storage          10.7.0-2
ii  libvirt-daemon-driver-storage-disk     10.7.0-2
ii  libvirt-daemon-driver-storage-iscsi    10.7.0-2
ii  libvirt-daemon-driver-storage-logical  10.7.0-2
ii  libvirt-daemon-driver-storage-mpath    10.7.0-2
ii  libvirt-daemon-driver-storage-scsi     10.7.0-2
pn  libvirt-daemon-driver-vbox             <none>
pn  libvirt-daemon-driver-xen              <none>
ii  libvirt-daemon-lock                    10.7.0-2
ii  libvirt-daemon-log                     10.7.0-2
ii  libvirt-daemon-plugin-lockd            10.7.0-2
ii  libvirt-daemon-plugin-sanlock          10.7.0-2

Versions of packages libvirt-daemon suggests:
pn  libvirt-daemon-driver-storage-gluster       <none>
pn  libvirt-daemon-driver-storage-iscsi-direct  <none>
pn  libvirt-daemon-driver-storage-rbd           <none>
pn  libvirt-daemon-driver-storage-zfs           <none>
ii  libvirt-daemon-system                       10.7.0-2

-- no debconf information

--- End Message ---

--- Begin Message ---

Source: libvirt
Source-Version: 10.7.0-3
Done: Andrea Bolognani <e...@kiyuko.org>

We believe that the bug you reported is fixed in the latest version of
libvirt, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1081...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andrea Bolognani <e...@kiyuko.org> (supplier of updated libvirt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 16 Sep 2024 21:41:15 +0200
Source: libvirt
Architecture: source
Version: 10.7.0-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Libvirt Maintainers 
<pkg-libvirt-maintain...@lists.alioth.debian.org>
Changed-By: Andrea Bolognani <e...@kiyuko.org>
Closes: 1081396
Changes:
 libvirt (10.7.0-3) unstable; urgency=medium
 .
   * [70a5d8d] patches: Add backport/apparmor-Don-t-check-for[...]
     - Ensures that AppArmor doesn't get disabled for QEMU domains
       just because the LXC driver is not installed (Closes: #1081396)
Checksums-Sha1:
 6166e3a3192c731eed1a1c944cc41f08c5c8aeba 7666 libvirt_10.7.0-3.dsc
 cb508b8fb4413d13fbb44f291b5323f1806e6dc5 94596 libvirt_10.7.0-3.debian.tar.xz
 4bc0e4a2417f794de1be14eef86d28fd3946a18e 13641 
libvirt_10.7.0-3_source.buildinfo
Checksums-Sha256:
 5a296c9a9a0ec7b9f0e7688f18caba5336c6a52288bbf08d3fe8007f81fefc2b 7666 
libvirt_10.7.0-3.dsc
 b5ffa426656412907dc1f59a4e58d4a6b27a59867f15c1b7320d63c1b30d9ee3 94596 
libvirt_10.7.0-3.debian.tar.xz
 44dde1e44c81d9f958c8068b2d2c6669bb5d859c838f2419ee334c88a7168760 13641 
libvirt_10.7.0-3_source.buildinfo
Files:
 bda79778f75fd8854494b3a0f996b758 7666 libs optional libvirt_10.7.0-3.dsc
 55152aecdf2d69a66e2b7ef1da5a893a 94596 libs optional 
libvirt_10.7.0-3.debian.tar.xz
 20ab44251197f9cfacc75b134dc3d7ec 13641 libs optional 
libvirt_10.7.0-3_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJDBAEBCgAtFiEEO48t9niVypx3EjLf954fxUKFg6wFAmbp6ncPHGVvZkBraXl1
a28ub3JnAAoJEPeeH8VChYOsKQoP/RnuHFJ0jtg4LT/Vn4is1ZoDmNDifkADW4jI
yQrlf/exqpkoDL6DlxTXqMVCQcGWEDEWr8EB69SdOGv1tn5X2OFCfqsgdDl2/pcQ
V6BOdMI2j4fCMgA3Cpkgzm5balUNsqTz431uN2IIZAruV11p8jYPXndlD0qBBQcf
R66L3APv/12poKjQw4CsNGuu6TCaDPy3aDvKZHWF4V6K01WiBk1q6mlwWZoADKVx
FQRUmqlUs4O6OHPPmBvKFminwN0i6w+3X8k/0MNKKGoC9aikKfwBEJL66xzDA5pO
Ymk6KXmcKQ350FsVm2qd+jw7FV+xlrFYR+DV/9Eeg7UdQgrI6p5d1TFwJd5xqkTw
Ur4la0aQnf9FUAOSdjGjs0sOLC85lGqq0wq4z3g5sZbtqzw9agxHg1X+VFbQ+8dL
ySBsj/B2IbydqbEPhQcSIY8YHzy4Dqm4KYLO5EKjQ8oVVLTvbLs1XkMzL3udyDA3
qMRZ50RT/EJOhc5g9HSekbj3XMWhOiZnpw/Mf0MKZd0AMwy+AnoDzA5GQ5kfdjhY
UuDa1rLG8liwDkHGkZaCVuNXX1dpXImlf/YOJJ+9i9YXMoI3T01JYd2xZX9TPKUP
3oNUmQMHICNtiJZwHDZyCPAj8WAf8OA6Eggi480N2xp06l767JsVrVTn1OwzdqQH
hulRXnCN
=NVPe
-----END PGP SIGNATURE-----

pgp9U5hxQkq9i.pgp
Description: PGP signature

--- End Message ---