Public bug reported: There seems to be no way to have per-domain apparmor modifications preserved across a full stop (virsh destroy) and start of a domain.
I am currently testing emulated, file-backed NVMe devices for which I could not find any native support in libvirt while support in QEMU is present. As devices are file-backed and I am using qemu CLI arguments directly, apparmor gets in the way of starting a domain. https://libvirt.org/drvqemu.html#securitysvirtaa "/etc/apparmor.d/libvirt/libvirt-<uuid> and /etc/apparmor.d/libvirt/libvirt-<uuid>.files. The former can be fine-tuned by the administrator to allow custom access for this particular QEMU virtual machine, and the latter will be updated appropriately when required file access changes, such as when a disk is added." The documented way of customizing /etc/apparmor.d/libvirt/libvirt-<uuid> works only for the first start. After a domain is stopped this file is removed. Usage scenario: qemu/hw/block/nvme.c: /** * Usage: add options: * -drive file=<file>,if=none,id=<drive_id> * -device nvme,drive=<drive_id>,serial=<serial>,id=<id[optional]>, \ * cmb_size_mb=<cmb_size_mb[optional]>, \ * num_queues=<N[optional]> * * Note cmb_size_mb denotes size of CMB in MB. CMB is assumed to be at * offset 0 in BAR2 and supports only WDS, RDS and SQS for now. */ libvirt+ 32580 66.1 0.1 2883760 55252 ? Sl 21:15 0:04 qemu-system-x86_64 -enable-kvm -name guest=maas-vhost6,debug-threads=on # … \ -drive file=/var/lib/libvirt/images/maas-vhost6-nvme0.img,format=raw,if=none,id=nvme0 -device nvme,drive=nvme0,serial=deadbeef -msg timestamp=on virsh dumpxml maas-vhost6: <domain type='kvm' xmlns:qemu='http://libvirt.org/schemas/domain/qemu/1.0'> <!-- the rest of the definition --> <qemu:commandline> <qemu:arg value='-drive'/> <qemu:arg value='file=/var/lib/libvirt/images/maas-vhost6-nvme0.img,format=raw,if=none,id=nvme0'/> <qemu:arg value='-device'/> <qemu:arg value='nvme,drive=nvme0,serial=deadbeef'/> </qemu:commandline> This had to be done on a global template in order to at least start the domain: cat /etc/apparmor.d/libvirt/TEMPLATE.qemu # ... #include <tunables/global> profile LIBVIRT_TEMPLATE flags=(attach_disconnected) { "/var/lib/libvirt/images/maas-vhost6-nvme0.img" rwk, #include <abstractions/libvirt-qemu> } ** Affects: libvirt (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1788034 Title: no way to preserve per-domain apparmor profile modifications across reboot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1788034/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
