Package: libvirt-daemon-system
Version: 11.3.0-3
Followup-For: Bug #924418
X-Debbugs-Cc: [email protected]
Dear Maintainer,
(Please note: reportbug indicated newer versions 11.8.0-1/2 exist in
testing/unstable. This report confirms the bug is present in version 11.3.0-3
as currently installed on my Debian Trixie system.)
I am experiencing an issue on Debian Trixie where libvirtd fails to start
QEMU/KVM virtual machines that require UEFI and TPM 2.0 (like Windows 11),
seemingly due to an AppArmor integration problem. Both gnome-boxes and
virt-manager fail.
**Symptoms:**
1. Using gnome-boxes: Attempting to create a Windows 11 VM fails with the
generic error "incapable host system".
2. Using virt-manager: Attempting to create the same VM fails repeatedly with
a specific libvirt error: "internal error: cannot load AppArmor profile
'libvirt-[UUID]'" (where [UUID] is dynamically generated).
**System Configuration & Prerequisites Confirmed:**
* Debian Trixie (Testing) is up to date (Kernel 6.12.48+deb13-amd64).
* CPU virtualization (VT-x/AMD-V) is enabled and detected.
* Required packages `qemu-system-x86`, `libvirt-daemon-system` (11.3.0-3),
`virt-manager`, `ovmf`, and `swtpm-tools` are installed.
* User is added to `libvirt` and `kvm` groups.
* AppArmor is active. `aa-status` shows `libvirtd` and `virt-aa-helper`
profiles loaded in enforce mode.
**Debugging Steps Taken & Findings:**
1. Setting the `/etc/apparmor.d/usr.sbin.libvirtd` profile to complain mode
(`sudo aa-complain ...`) **did not** resolve the "cannot load AppArmor profile"
error in virt-manager. Profile was returned to enforce mode afterwards.
2. Identified the helper binary at `/usr/lib/libvirt/virt-aa-helper` and its
profile `/etc/apparmor.d/usr.lib.libvirt.virt-aa-helper`.
3. Setting the `/etc/apparmor.d/usr.lib.libvirt.virt-aa-helper` profile to
complain mode **did not** resolve the error, and `sudo dmesg | grep
apparmor=\\"DENIED\\"` showed **no DENIED messages** related to virt-aa-helper
or apparmor_parser during the failed VM startup attempt. This indicates the
failure is likely not a simple permission denial. Profile was returned to
enforce mode afterwards.
4. The default `virt-aa-helper` profile contains the rule
`/{usr/,}{s,}bin/apparmor_parser Ux,`. Modifying this rule to use `Px`
(`/{usr/,}{s,}bin/apparmor_parser Px,`) caused AppArmor service reload to fail
due to "conflicting x modifiers", indicating `Px` is likely incorrect or
incompatible here. The rule was reverted to `Ux`.
**Successful (but Insecure) Workaround:**
* The *only* way found to successfully start the VM was by explicitly disabling
AppArmor confinement for QEMU. This was achieved by adding the line
`security_driver = "none"` to `/etc/libvirt/qemu.conf` and restarting
`libvirtd.service`. This strongly indicates the bug lies within the
libvirt-AppArmor interaction for dynamic profile loading.
**Hypothesis:**
There appears to be a bug in how libvirtd/virt-aa-helper attempts to generate
and load the dynamic AppArmor profile for the QEMU VM process on Debian Trixie
11.3.0-3. This failure occurs even with complain mode enabled and is not
resolved by the standard `Ux` execute permission for `apparmor_parser` within
the helper's profile. The failure mode suggests an issue deeper than simple
rule denial, potentially related to profile transition or interaction with the
kernel API.
Please let me know if any further logs or testing are required.
Thank you for maintaining libvirt.
-- System Information:
Debian Release: 13.1
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.12.48+deb13-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages libvirt-daemon-system depends on:
ii libvirt-clients 11.3.0-3
ii libvirt-common 11.3.0-3
ii libvirt-daemon 11.3.0-3
ii libvirt-daemon-common 11.3.0-3
ii libvirt-daemon-config-network 11.3.0-3
ii libvirt-daemon-config-nwfilter 11.3.0-3
ii libvirt-daemon-driver-network 11.3.0-3
ii libvirt-daemon-driver-nodedev 11.3.0-3
ii libvirt-daemon-driver-nwfilter 11.3.0-3
ii libvirt-daemon-driver-qemu 11.3.0-3
ii libvirt-daemon-driver-secret 11.3.0-3
ii libvirt-daemon-driver-storage 11.3.0-3
ii libvirt-daemon-log 11.3.0-3
ii libvirt0 11.3.0-3
libvirt-daemon-system recommends no packages.
libvirt-daemon-system suggests no packages.
-- no debconf information
