[Bug 2079806] Re: qemu-bridge-helper denied by apparmor on oracular

Sergio Durigan Junior 2079806 at bugs.launchpad.net
Fri Sep 6 22:56:33 UTC 2024 

Hey,

Yeah, I'm using qemu:///session but I tried restarting the daemon, and
it still doesn't work for me.  There's something else at play here, and
I'm still debugging to see what's going on.

It's interesting that you were able to start your VM only with your
patch applied but I can't.

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2079806

Title:
  qemu-bridge-helper denied by apparmor on oracular

Status in libvirt package in Ubuntu:
  In Progress
Status in libvirt package in Debian:
  New

Bug description:
  I just upgraded from noble to oracular and my libvirt domains (using
  qemu:///session + qemu-bridge-helper for the network) can't start
  anymore.

  $ virsh start ubuntu-nvmeotcp-poc-target
  error: Failed to start domain 'ubuntu-nvmeotcp-poc-target'
  error: /usr/lib/qemu/qemu-bridge-helper --use-vnet --br=pocbr0 --fd=32: failed to communicate with bridge helper: : Transport endpoint is not connected

  [162559.444684] audit: type=1400 audit(1725612671.214:6873):
  apparmor="DENIED" operation="file_mmap" class="file"
  profile="libvirtd//qemu_bridge_helper" name="/usr/bin/dash" pid=699975
  comm="qemu-bridge-hel" requested_mask="r" denied_mask="r" fsuid=1000
  ouid=0

  After switching to AA complain mode, the domains can start again:

  $ sudo aa-complain /etc/apparmor.d/usr.sbin.libvirtd 
  skipping disabled profile usr.sbin.squid
  skipping disabled profile usr.bin.firefox
  Setting /etc/apparmor.d/usr.sbin.libvirtd to complain mode.

  $ virsh start ubuntu-nvmeotcp-poc-target
  Domain 'ubuntu-nvmeotcp-poc-target' started

  
  [162838.572654] audit: type=1400 audit(1725612950.342:6955): apparmor="ALLOWED" operation="file_mmap" class="file" profile="libvirtd//qemu_bridge_helper" name="/usr/bin/dash" pid=700572 comm="qemu-bridge-hel" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  [162838.573199] audit: type=1400 audit(1725612950.342:6956): apparmor="ALLOWED" operation="exec" class="file" profile="libvirtd//qemu_bridge_helper" name="/usr/bin/sleep" pid=700574 comm="qemu-bridge-hel" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="libvirtd//qemu_bridge_helper//null-/usr/bin/sleep"
  [162838.573204] audit: type=1400 audit(1725612950.342:6957): apparmor="ALLOWED" operation="file_inherit" class="file" profile="libvirtd//qemu_bridge_helper//null-/usr/bin/sleep" name="/dev/null" pid=700574 comm="sleep" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=0
  [162838.573207] audit: type=1400 audit(1725612950.343:6958): apparmor="ALLOWED" operation="file_inherit" class="net" profile="libvirtd" pid=700574 comm="sleep" family="unix" sock_type="stream" protocol=0 requested="send receive" denied="send receive" addr=none peer_addr=none peer="libvirtd//qemu_bridge_helper//null-/usr/bin/sleep"
  [162838.573271] audit: type=1400 audit(1725612950.343:6959): apparmor="ALLOWED" operation="file_mmap" class="file" profile="libvirtd//qemu_bridge_helper//null-/usr/bin/sleep" name="/usr/bin/sleep" pid=700574 comm="sleep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  [162838.573277] audit: type=1400 audit(1725612950.343:6960): apparmor="ALLOWED" operation="file_mmap" class="file" profile="libvirtd//qemu_bridge_helper//null-/usr/bin/sleep" name="/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2" pid=700574 comm="sleep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  [162838.573340] audit: type=1400 audit(1725612950.343:6961): apparmor="ALLOWED" operation="open" class="file" profile="libvirtd//qemu_bridge_helper//null-/usr/bin/sleep" name="/etc/ld.so.cache" pid=700574 comm="sleep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  [162838.573345] audit: type=1400 audit(1725612950.343:6962): apparmor="ALLOWED" operation="getattr" class="file" profile="libvirtd//qemu_bridge_helper//null-/usr/bin/sleep" name="/etc/ld.so.cache" pid=700574 comm="sleep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/2079806/+subscriptions

More information about the Ubuntu-sponsors mailing list