[Bug 2079806] [NEW] qemu-bridge-helper denied by apparmor on oracular

Launchpad Bug Tracker 2079806 at bugs.launchpad.net
Fri Sep 6 15:51:54 UTC 2024 

You have been subscribed to a public bug by Olivier Gayot (ogayot):

I just upgraded from noble to oracular and my libvirt domains (using
qemu:///session + qemu-bridge-helper for the network) can't start
anymore.

$ virsh start ubuntu-nvmeotcp-poc-target
error: Failed to start domain 'ubuntu-nvmeotcp-poc-target'
error: /usr/lib/qemu/qemu-bridge-helper --use-vnet --br=pocbr0 --fd=32: failed to communicate with bridge helper: : Transport endpoint is not connected

[162559.444684] audit: type=1400 audit(1725612671.214:6873):
apparmor="DENIED" operation="file_mmap" class="file"
profile="libvirtd//qemu_bridge_helper" name="/usr/bin/dash" pid=699975
comm="qemu-bridge-hel" requested_mask="r" denied_mask="r" fsuid=1000
ouid=0

After switching to AA complain mode, the domains can start again:

$ sudo aa-complain /etc/apparmor.d/usr.sbin.libvirtd 
skipping disabled profile usr.sbin.squid
skipping disabled profile usr.bin.firefox
Setting /etc/apparmor.d/usr.sbin.libvirtd to complain mode.

$ virsh start ubuntu-nvmeotcp-poc-target
Domain 'ubuntu-nvmeotcp-poc-target' started


[162838.572654] audit: type=1400 audit(1725612950.342:6955): apparmor="ALLOWED" operation="file_mmap" class="file" profile="libvirtd//qemu_bridge_helper" name="/usr/bin/dash" pid=700572 comm="qemu-bridge-hel" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[162838.573199] audit: type=1400 audit(1725612950.342:6956): apparmor="ALLOWED" operation="exec" class="file" profile="libvirtd//qemu_bridge_helper" name="/usr/bin/sleep" pid=700574 comm="qemu-bridge-hel" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="libvirtd//qemu_bridge_helper//null-/usr/bin/sleep"
[162838.573204] audit: type=1400 audit(1725612950.342:6957): apparmor="ALLOWED" operation="file_inherit" class="file" profile="libvirtd//qemu_bridge_helper//null-/usr/bin/sleep" name="/dev/null" pid=700574 comm="sleep" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=0
[162838.573207] audit: type=1400 audit(1725612950.343:6958): apparmor="ALLOWED" operation="file_inherit" class="net" profile="libvirtd" pid=700574 comm="sleep" family="unix" sock_type="stream" protocol=0 requested="send receive" denied="send receive" addr=none peer_addr=none peer="libvirtd//qemu_bridge_helper//null-/usr/bin/sleep"
[162838.573271] audit: type=1400 audit(1725612950.343:6959): apparmor="ALLOWED" operation="file_mmap" class="file" profile="libvirtd//qemu_bridge_helper//null-/usr/bin/sleep" name="/usr/bin/sleep" pid=700574 comm="sleep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[162838.573277] audit: type=1400 audit(1725612950.343:6960): apparmor="ALLOWED" operation="file_mmap" class="file" profile="libvirtd//qemu_bridge_helper//null-/usr/bin/sleep" name="/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2" pid=700574 comm="sleep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[162838.573340] audit: type=1400 audit(1725612950.343:6961): apparmor="ALLOWED" operation="open" class="file" profile="libvirtd//qemu_bridge_helper//null-/usr/bin/sleep" name="/etc/ld.so.cache" pid=700574 comm="sleep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[162838.573345] audit: type=1400 audit(1725612950.343:6962): apparmor="ALLOWED" operation="getattr" class="file" profile="libvirtd//qemu_bridge_helper//null-/usr/bin/sleep" name="/etc/ld.so.cache" pid=700574 comm="sleep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

** Affects: libvirt (Ubuntu)
     Importance: Undecided
     Assignee: Olivier Gayot (ogayot)
         Status: In Progress

** Affects: libvirt (Debian)
     Importance: Unknown
         Status: New

-- 
qemu-bridge-helper denied by apparmor on oracular
https://bugs.launchpad.net/bugs/2079806
You received this bug notification because you are a member of Ubuntu Sponsors, which is subscribed to the bug report.

More information about the Ubuntu-sponsors mailing list