[ 2652.756712] audit: type=1400 audit(1491303691.719:25): apparmor="DENIED" operation="open" profile="libvirt-17a61b87-5132-497c-b928-421ac2ee0c8a" name="/dev/vfio/vfio" pid=8486 comm="qemu-system-x86" requested_mask="wr" denied_mask="wr" fsuid=64055 ouid=0
Usually guides said a user who wants to provide vfio uncomment the default provided but commented cgroup_device_acl setting. I was able to confirm that even with that the case fails with the apparmor aformentioned deny. As suggested the right solution is to add it to the base abstraction being /etc/apparmor.d/abstractions/libvirt-qemu like: # allow guest access to the generic base vfio interface (LP: #1678322) /dev/vfio/vfio rw, The base device should be safe as it has "all but a couple version and extension query interfaces locked away" [1]. This is not new, the open on this is since 2014 in the code, so I wonder if all using that just disabled it or manually tweaked. This part shall surely be added to the base profile Looking into the setrlimit next. [1]: https://www.kernel.org/doc/Documentation/vfio.txt -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1678322 Title: Ubuntu 17.04 KVM: Can not do hotplug attach To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/qemu/+bug/1678322/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
