Bug#1030926: marked as done (libvirt-daemon-system: Wrong AppArmor definition for /usr/bin/qemu-system-i386)

Thu, 31 Oct 2024 12:51:20 -0700 

Your message dated Thu, 31 Oct 2024 19:47:08 +0000
with message-id <[email protected]>
and subject line Bug#1030926: fixed in libvirt 9.0.0-4+deb12u2
has caused the Debian Bug report #1030926,
regarding libvirt-daemon-system: Wrong AppArmor definition for 
/usr/bin/qemu-system-i386
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1030926: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030926
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: libvirt-daemon-system
Version: 9.0.0-1
Severity: normal
X-Debbugs-Cc: [email protected]

Dear maintainer,

/usr/bin/qemu-system-i386 is included in /etc/apparmor.d/abstractions/libvirt-
qemu. But because it is just a wrapper, the real binary is /usr/libexec/qemu-
system-i386. Once you are trying to run an i386 VM, libvirt report "internal
error: process exited while connecting to monitor: /usr/bin/qemu-system-i386:
29: exec: /usr/libexec/qemu-system-i386: Permission denied".

The obvious solution is to add this binary to "abstractions" and reload
apparmor.

Not sure if it as an upstream bug or related to Debian package. We didn't use
this i386 machine for a while, it worked previously...

dmesg:
[  926.819853] audit: type=1400 audit(1675940937.111:42): apparmor="DENIED"
operation="exec" profile="libvirt-e66e81f4-a0de-417a-b8f7-6d699f1108e7"
name="/usr/libexec/qemu-system-i386" pid=5543 comm="qemu-system-i38"
requested_mask="x" denied_mask="x" fsuid=64055 ouid=0

libvirtd.log:
2023-02-09 11:08:57.016+0000: starting up libvirt version: 9.0.0, package: 1
(Andrea Bolognani <[email protected]> Sat, 28 Jan 2023 17:03:53 +0100), qemu
version: 7.2.0Debian 1:7.2+dfsg-2, kernel: 6.1.0-3-amd64, hostname: big-
pc.home.
ca
LC_ALL=C \
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin \
HOME=/var/lib/libvirt/qemu/domain-3-2k.windows.malaheene \
XDG_DATA_HOME=/var/lib/libvirt/qemu/domain-3-2k.windows.malaheene/.local/share
\
XDG_CACHE_HOME=/var/lib/libvirt/qemu/domain-3-2k.windows.malaheene/.cache \
XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain-3-2k.windows.malaheene/.config \
/usr/bin/qemu-system-i386 \
-name guest=2k.windows.malaheenee.ca,debug-threads=on \
-S \
-object '{"qom-
type":"secret","id":"masterKey0","format":"raw","file":"/var/lib/libvirt/qemu/domain-3-2k.windows.malaheene/master-
key.aes"}' \
-machine pc-i440fx-1.4,usb=off,vmport=off,dump-guest-core=off,memory-
backend=pc.ram \
-accel kvm \
-cpu pentium3,hv-time=on,hv-relaxed=on,hv-vapic=on,hv-spinlocks=0x1fff \
-m 256 \
-object '{"qom-type":"memory-backend-ram","id":"pc.ram","size":268435456}' \
-overcommit mem-lock=off \
-smp 1,sockets=1,cores=1,threads=1 \
-uuid e66e81f4-a0de-417a-b8f7-6d699f1108e7 \
-no-user-config \
-nodefaults \
-chardev socket,id=charmonitor,fd=31,server=on,wait=off \
-mon chardev=charmonitor,id=monitor,mode=control \
-rtc base=localtime,driftfix=slew \
-global kvm-pit.lost_tick_policy=delay \
-no-hpet \
-no-shutdown \
-global PIIX4_PM.disable_s3=1 \
-global PIIX4_PM.disable_s4=1 \
-boot strict=on \
-device '{"driver":"pci-ohci","id":"usb","bus":"pci.0","addr":"0x3"}' \
-device '{"driver":"virtio-serial-pci","id":"virtio-
serial0","bus":"pci.0","addr":"0x7"}' \
-global isa-fdc.bootindexA=1 \
-blockdev
'{"driver":"file","filename":"/home/libvirt/pool/2k.windows.qcow2","aio":"native","node-
name":"libvirt-3-storage","cache":{"direct":true,"no-flush":false},"auto-read-
only":true,"discard":"unmap"}' \
-blockdev '{"node-name":"libvirt-3-format","read-
only":false,"cache":{"direct":true,"no-
flush":false},"driver":"qcow2","file":"libvirt-3-storage","backing":null}' \
-device '{"driver":"ide-
hd","bus":"ide.0","unit":0,"drive":"libvirt-3-format","id":"ide0-0-0","bootindex":3,"write-
cache":"on"}' \
-device '{"driver":"ide-
cd","bus":"ide.1","unit":0,"id":"ide0-1-0","bootindex":2}' \
-device '{"driver":"floppy","unit":0,"id":"fdc0-0-0"}' \
-netdev '{"type":"tap","fd":"32","id":"hostnet0"}' \
-device
'{"driver":"rtl8139","netdev":"hostnet0","id":"net0","mac":"52:54:00:10:06:02","bus":"pci.0","addr":"0x5"}'
\
-chardev spicevmc,id=charchannel0,name=vdagent \
-device '{"driver":"virtserialport","bus":"virtio-
serial0.0","nr":1,"chardev":"charchannel0","id":"channel0","name":"com.redhat.spice.0"}'
\
-device '{"driver":"usb-tablet","id":"input2","bus":"usb.0","port":"1"}' \
-audiodev '{"id":"audio1","driver":"spice"}' \
-spice port=5900,addr=127.0.0.1,disable-ticketing=on,image-
compression=off,seamless-migration=on \
-k en-us \
-device '{"driver":"cirrus-vga","id":"video0","bus":"pci.0","addr":"0x4"}' \
-device
'{"driver":"AC97","id":"sound0","audiodev":"audio1","bus":"pci.0","addr":"0x6"}'
\
-chardev spicevmc,id=charredir0,name=usbredir \
-device '{"driver":"usb-
redir","chardev":"charredir0","id":"redir0","bus":"usb.0","port":"2"}' \
-chardev spicevmc,id=charredir1,name=usbredir \
-device '{"driver":"usb-
redir","chardev":"charredir1","id":"redir1","bus":"usb.0","port":"3"}' \
-device '{"driver":"virtio-balloon-
pci","id":"balloon0","bus":"pci.0","addr":"0x8"}' \
-sandbox
on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \
-msg timestamp=on
2023-02-09 11:08:57.016+0000: Domain id=3 is tainted: deprecated-config
(machine type 'pc-i440fx-1.4')
/usr/bin/qemu-system-i386: 29: exec: /usr/libexec/qemu-system-i386: Permission
denied
2023-02-09 11:08:57.152+0000: shutting down, reason=failed



-- System Information:
Debian Release: bookworm/sid
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 
'oldstable-updates'), (500, 'oldoldstable'), (500, 'unstable'), (500, 
'testing'), (500, 'stable'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-3-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_CA:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libvirt-daemon-system depends on:
ii  adduser                         3.131
ii  debconf [debconf-2.0]           1.5.82
ii  gettext-base                    0.21-11
ii  iptables                        1.8.9-2
ii  libvirt-clients                 9.0.0-1
ii  libvirt-daemon                  9.0.0-1
ii  libvirt-daemon-config-network   9.0.0-1
ii  libvirt-daemon-config-nwfilter  9.0.0-1
ii  libvirt-daemon-system-systemd   9.0.0-1
ii  logrotate                       3.21.0-1
ii  polkitd                         122-3

Versions of packages libvirt-daemon-system recommends:
ii  dmidecode                    3.4-1
ii  dnsmasq-base [dnsmasq-base]  2.89-1
ii  iproute2                     6.1.0-1
pn  mdevctl                      <none>
ii  parted                       3.5-3

Versions of packages libvirt-daemon-system suggests:
ii  apparmor    3.0.8-2+b1
pn  auditd      <none>
ii  nfs-common  1:2.6.2-4
pn  open-iscsi  <none>
pn  pm-utils    <none>
ii  systemd     252.5-2
pn  systemtap   <none>
pn  zfsutils    <none>

-- Configuration Files:
/etc/libvirt/qemu.conf [Errno 13] Permission denied: '/etc/libvirt/qemu.conf'

-- debconf information:
  libvirt-daemon-system/id_warning: true

--- End Message ---
--- Begin Message --- 
Source: libvirt
Source-Version: 9.0.0-4+deb12u2
Done: Andrea Bolognani <[email protected]>

We believe that the bug you reported is fixed in the latest version of
libvirt, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andrea Bolognani <[email protected]> (supplier of updated libvirt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 21 Oct 2024 13:51:48 +0200
Source: libvirt
Architecture: source
Version: 9.0.0-4+deb12u2
Distribution: bookworm
Urgency: medium
Maintainer: Debian Libvirt Maintainers 
<[email protected]>
Changed-By: Andrea Bolognani <[email protected]>
Closes: 1030926
Changes:
 libvirt (9.0.0-4+deb12u2) bookworm; urgency=medium
 .
   * [275099d] patches: Add backports
     - backport/apparmor-Allow-running-i686-VMs-on-Debian-12.patch
       - Closes: #1030926
     - backport/qemu_process-Skip-over-non-virtio-non-TAP-NIC-[...]
       - Prevents certain guests from becoming unbootable or
         disappearing during upgrade
Checksums-Sha1:
 f2a5a564c39455869ed42a5d49f96a213ec60d04 5537 libvirt_9.0.0-4+deb12u2.dsc
 15ab086ce2a3d6882d6204fdf4093feecfa32f90 97964 
libvirt_9.0.0-4+deb12u2.debian.tar.xz
 28444087dc79a079a2f108136830e3c50f1d0272 14387 
libvirt_9.0.0-4+deb12u2_source.buildinfo
Checksums-Sha256:
 4c6794d4af567cb984d1996a7c9f6b66102f5ccb81faffe2dcef8a95656a16f0 5537 
libvirt_9.0.0-4+deb12u2.dsc
 5152a991ed16d3e155f7e14645d654cf2dbf0e60cbd256c4db121593097a1006 97964 
libvirt_9.0.0-4+deb12u2.debian.tar.xz
 a77355e54bd09b7734c523cbe5c88df3e4a47b15aa6ec3b1029e6132e8d6d661 14387 
libvirt_9.0.0-4+deb12u2_source.buildinfo
Files:
 a6b8ef5b19cdda4b0e022468f6463659 5537 libs optional libvirt_9.0.0-4+deb12u2.dsc
 88eeb79bd8f456bad7fb903950f03c54 97964 libs optional 
libvirt_9.0.0-4+deb12u2.debian.tar.xz
 357027010617f38194f2be821a5f7ef9 14387 libs optional 
libvirt_9.0.0-4+deb12u2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJDBAEBCgAtFiEEO48t9niVypx3EjLf954fxUKFg6wFAmciq1EPHGVvZkBraXl1
a28ub3JnAAoJEPeeH8VChYOs+eEQAPjd4Cp9b8oAsNmYgW9ELLmG5Xs1HFFuPtaE
dP8lcvtGVGArycAt6tY44Ijx39F33kdDvu2GbOmkgQs/tqw6PqmmNEgUez/Gs3ye
fdC/qjkviNJnZSS9fgF8Ryu2d5WBQ0I/srecwQx61QBZs2yaFbJ8Yyuke3kuq3Zq
o8wQmAKY/f65TWybfx8ZuzdvNtKSI5/MCBgUL4rwGmppgHJpH3eXAAlRYvpm/YeK
yPpY0sRH43LyNsCG+zpqglxlA7ShXOaePfZ+yUAc1znSHNfXi6TvVWZs0bAlVgU2
oORFgXY7v8gjN8YklhMUWRXoL2TS24PLgWH2NKQJFbYA7wvW7LwJxnNOTWNpVPIs
vzc+CC/AZSvwYA8j5/SGFB/pN2QLskD9HEOFsykeC5yyTmAR9v5YqAzUVaSJpOhJ
Auh+P2HHls8p6rtgE5AGCenbD9zWeXJfxiPswcfkhkqK8/YC7MtXDeP/Kg4pLKMN
rM0mudCeGZiQrEgJmAGLZyh4C/RtXZUILhcPmpRxe4ptz1TFnE8p659nr+XdqSlo
SH2mxcHD3JPMTkyn3xSEl6L5LaRfzsi7+6vyTjOWvwcnsC+gSz4Y0fqHcLX78gVr
R8UjyfhhqVHm5UTCAFyKdsRyRurDmWzfmnA+sBR55nvyq08gdPvB1HZWX+B6D1BW
xWhD+FYw
=RR4r
-----END PGP SIGNATURE-----

Attachment: pgpbr5wOfVG3L.pgp
Description: PGP signature


--- End Message ---

Reply via email to