I'd agree and work on adding the rule upstream and into Ubuntu, but what
I need to to do is help to understand "why this triggers for you".
I run libvirt locally and in many tests, but so far have never seen this
apparmor denial.
Although if it is a non fatal bug it is easier to miss ...
The linked Debian bug (thanks paride) has a bit more details how to trigger.
But the bug also is almost a year old and no one else has hit this, ... that is
odd.
I've set up a L1 guest with an extra disk as scsi disk
44 <disk type='file' device='disk'>
45 <driver name='qemu' type='qcow2'/>
46 <source
file='/var/lib/uvtool/libvirt/images/testguest-scsi-ephem-00.qcow'/>
47 <target dev='sda' bus='scsi'/>
48 <address type='drive' controller='0' bus='0' target='0' unit='0'/>
49 </disk>
...
100 <controller type='scsi' index='0' model='virtio-scsi'>
101 <address type='pci' domain='0x0000' bus='0x0a' slot='0x01'
function='0x0'/>
102 </controller>
In the guest that appears as scsi disk, here from lshw:
*-scsi
description: SCSI storage controller
product: Virtio SCSI
vendor: Red Hat, Inc.
physical id: 1
bus info: pci@0000:07:01.0
version: 00
width: 64 bits
clock: 33MHz
capabilities: scsi msix bus_master cap_list
configuration: driver=virtio-pci latency=0
resources: irq:23 ioport:c000(size=64) memory:fc000000-fc000fff
memory:fe000000-fe003fff
*-disk
description: SCSI Disk
product: QEMU HARDDISK
vendor: QEMU
physical id: 0.0.0
bus info: scsi@0:0.0.0
logical name: /dev/sda
version: 2.5+
size: 4GiB (4294MB)
capabilities: 5400rpm
configuration: ansiversion=5 logicalsectorsize=512 sectorsize=512
*-sata
description: SATA controller
product: 82801IR/IO/IH (ICH9R/DO/DH) 6 port SATA Controller [AHCI mode]
vendor: Intel Corporation
physical id: 1f.2
bus info: pci@0000:00:1f.2
version: 02
width: 32 bits
clock: 33MHz
capabilities: sata msi ahci_1.0 bus_master cap_list
configuration: driver=ahci latency=0
resources: irq:41 ioport:d060(size=32) memory:fd41b000-fd41bfff
Using that to define another guest:
<disk type='block' device='disk'>
<driver name='qemu' type='raw'/>
<source dev='/dev/sda'/>
<target dev='sda' bus='scsi'/>
</disk>
<controller type='scsi' index='0' model='virtio-scsi'/>
But with that the guest starts fine and no apparmor denial shows up.
Could you help by outlining how you configure your host and guest so that this
issue triggers.
Only then we have a use case that we can tie to the new apparmor rule to
allow this.
** Changed in: libvirt (Ubuntu)
Status: Triaged => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1881969
Title:
apparmor profile for libvirtd/libvirt-daemon needs fixing
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1881969/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
