[Bug 2079806] Re: qemu-bridge-helper denied by apparmor on oracular

Sergio Durigan Junior 2079806 at bugs.launchpad.net
Sat Sep 7 03:44:48 UTC 2024 

OK, just a bit more context here.

I was able to start the VM after setting the suid bit on
/usr/libexec/qemu/qemu-bridge-helper.  This is something users have been
expected to do for many years on Debian-like systems now, because we
conscientiously ship this helper *without* the suid bit set.

The apparmor deny message I mentioned before:

[  182.228244] audit: type=1400 audit(1725680469.378:136):
apparmor="DENIED" operation="open" class="file"
profile="libvirtd//qemu_bridge_helper" name="/sys/devices/system/node/"
pid=1292 comm="qemu-bridge-hel" requested_mask="r" denied_mask="r"
fsuid=0 ouid=0

still shows up even after the VM has been successfully started, which
means it's not a critical problem and can be fixed later.

** Changed in: libvirt (Ubuntu)
       Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2079806

Title:
  qemu-bridge-helper denied by apparmor on oracular

Status in libvirt package in Ubuntu:
  Fix Committed
Status in libvirt package in Debian:
  New

Bug description:
  I just upgraded from noble to oracular and my libvirt domains (using
  qemu:///session + qemu-bridge-helper for the network) can't start
  anymore.

  $ virsh start ubuntu-nvmeotcp-poc-target
  error: Failed to start domain 'ubuntu-nvmeotcp-poc-target'
  error: /usr/lib/qemu/qemu-bridge-helper --use-vnet --br=pocbr0 --fd=32: failed to communicate with bridge helper: : Transport endpoint is not connected

  [162559.444684] audit: type=1400 audit(1725612671.214:6873):
  apparmor="DENIED" operation="file_mmap" class="file"
  profile="libvirtd//qemu_bridge_helper" name="/usr/bin/dash" pid=699975
  comm="qemu-bridge-hel" requested_mask="r" denied_mask="r" fsuid=1000
  ouid=0

  After switching to AA complain mode, the domains can start again:

  $ sudo aa-complain /etc/apparmor.d/usr.sbin.libvirtd 
  skipping disabled profile usr.sbin.squid
  skipping disabled profile usr.bin.firefox
  Setting /etc/apparmor.d/usr.sbin.libvirtd to complain mode.

  $ virsh start ubuntu-nvmeotcp-poc-target
  Domain 'ubuntu-nvmeotcp-poc-target' started

  
  [162838.572654] audit: type=1400 audit(1725612950.342:6955): apparmor="ALLOWED" operation="file_mmap" class="file" profile="libvirtd//qemu_bridge_helper" name="/usr/bin/dash" pid=700572 comm="qemu-bridge-hel" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  [162838.573199] audit: type=1400 audit(1725612950.342:6956): apparmor="ALLOWED" operation="exec" class="file" profile="libvirtd//qemu_bridge_helper" name="/usr/bin/sleep" pid=700574 comm="qemu-bridge-hel" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="libvirtd//qemu_bridge_helper//null-/usr/bin/sleep"
  [162838.573204] audit: type=1400 audit(1725612950.342:6957): apparmor="ALLOWED" operation="file_inherit" class="file" profile="libvirtd//qemu_bridge_helper//null-/usr/bin/sleep" name="/dev/null" pid=700574 comm="sleep" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=0
  [162838.573207] audit: type=1400 audit(1725612950.343:6958): apparmor="ALLOWED" operation="file_inherit" class="net" profile="libvirtd" pid=700574 comm="sleep" family="unix" sock_type="stream" protocol=0 requested="send receive" denied="send receive" addr=none peer_addr=none peer="libvirtd//qemu_bridge_helper//null-/usr/bin/sleep"
  [162838.573271] audit: type=1400 audit(1725612950.343:6959): apparmor="ALLOWED" operation="file_mmap" class="file" profile="libvirtd//qemu_bridge_helper//null-/usr/bin/sleep" name="/usr/bin/sleep" pid=700574 comm="sleep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  [162838.573277] audit: type=1400 audit(1725612950.343:6960): apparmor="ALLOWED" operation="file_mmap" class="file" profile="libvirtd//qemu_bridge_helper//null-/usr/bin/sleep" name="/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2" pid=700574 comm="sleep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  [162838.573340] audit: type=1400 audit(1725612950.343:6961): apparmor="ALLOWED" operation="open" class="file" profile="libvirtd//qemu_bridge_helper//null-/usr/bin/sleep" name="/etc/ld.so.cache" pid=700574 comm="sleep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  [162838.573345] audit: type=1400 audit(1725612950.343:6962): apparmor="ALLOWED" operation="getattr" class="file" profile="libvirtd//qemu_bridge_helper//null-/usr/bin/sleep" name="/etc/ld.so.cache" pid=700574 comm="sleep" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/2079806/+subscriptions

More information about the Ubuntu-sponsors mailing list