You are right, the conf is what I missed.
Since this is an uncommon feature (I agree it is currently underated, but that
is how it is) there is no rush to fix it in release. Especially since it (the
apparmor change) can be fixed by changing the conffile.
But I want to help to fix this the long
Finally got time to test this. Adding those lines to the apparmor
profile indeed fixes it for me when the setuid bit is set.
Did you add the bridge device to /etc/qemu/bridge.conf? I'm using
qemu:///session with virt-manager.
--
You received this bug notification because you are a member of
Running as
$ virt-manager -c qemu:///session
Setting up a bridge device the virt-manager way:
1. "specify shared device name"
name: virbr0
(that is the name of the default bridge in -c qemu:///user and not visible
to qemu:///session)
The profile applies and blocks
Unable to complete
The apparmor profile from libvirt doesn't seem to work, only tearing
down apparmor completely makes it tick. Getting that fixed for Ubuntu
would be a big help.
If you need to test this, use virt-manager with a user session and try
to use an existing bridge as the interface for a VM. You also need
Hi Toni,
by permanently I assume you mean to retain it through package updates?
For now I'd like to stick following Debian on that.
Even the upstream doc expects it to be off [1]
What would be a good idea for this to be easier to stick across updates - a
custom maintainer script entry maybe?
Reading the original Debian thread I don't really disagree with the
packager but there should at least be a better way to permanently enable
the setuid bit and have a correct apparmor profile so it would be
possible to use it.
I qemu://session as a regular user with virt-manager because it helps
Correct, it's not suid root because of security concerns, according to
this changelog entry from verison 2.1+dfsg-3:
* include /usr/lib/qemu-bridge-helper binary, but not make it setuid
due to security concerns outlined in #691138 (Closes: #691138)
Correct, it's not suid root because of security concerns, according to
this changelog entry from verison 2.1+dfsg-3:
* include /usr/lib/qemu-bridge-helper binary, but not make it setuid
due to security concerns outlined in #691138 (Closes: #691138)
