[Bug 2144665] [NEW] intel tdx : apparmor blocks VM access to unix socket for quote generation

Tue, 17 Mar 2026 08:20:48 -0700 

Public bug reported:

For remote attestation of a Intel TDX VM,

libvirt (starting from 11.6) allows to specify the communication channel
to the QGSD (Quote Generation Service) running on the host:

  <launchSecurity type='tdx'>
    ....
    <quoteGenerationService path='/var/run/tdx-qgs/qgs.socket'/>
  </launchSecurity>

apparmor blocks the access to this unix socket file and the quote
generation is impossible from inside the guest:

Mar 17 14:54:37 curtis-spr-739457 kernel: audit: type=1400
audit(1773759277.567:1184): apparmor="DENIED" operation="connect"
class="file" profile="libvirt-1fbef563-7d58-4c78-81b3-fa8878a819ee"
name="/run/tdx-qgs/qgs.socket" pid=449247 comm="io-task-worker"
requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=997

** Affects: libvirt (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: libvirt-hwe (Ubuntu)
     Importance: Undecided
         Status: New

** Description changed:

  For remote attestation of a Intel TDX VM,
-  
- libvirt (starting from 11.6) allows to specify the communication channel to 
the QGSD (Quote Generation Service) running on the host:
  
-   <launchSecurity type='tdx'>
-     ....
-     <quoteGenerationService path='/var/run/tdx-qgs/qgs.socket'/>
-   </launchSecurity>
+ libvirt (starting from 11.6) allows to specify the communication channel
+ to the QGSD (Quote Generation Service) running on the host:
+ 
+   <launchSecurity type='tdx'>
+     ....
+     <quoteGenerationService path='/var/run/tdx-qgs/qgs.socket'/>
+   </launchSecurity>
  
  apparmor blocks the access to this unix socket file and the quote
- generation is impossible from inside the guest.
+ generation is impossible from inside the guest:
+ 
+ Mar 17 14:54:37 curtis-spr-739457 kernel: audit: type=1400
+ audit(1773759277.567:1184): apparmor="DENIED" operation="connect"
+ class="file" profile="libvirt-1fbef563-7d58-4c78-81b3-fa8878a819ee"
+ name="/run/tdx-qgs/qgs.socket" pid=449247 comm="io-task-worker"
+ requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=997

** Also affects: libvirt-hwe (Ubuntu)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2144665

Title:
  intel tdx : apparmor blocks VM access to unix socket for quote
  generation

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/2144665/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to