Hi Daniel,
thank you for your report and your help making Ubuntu better.

Your workaround is exactly the right way flag your system for your special 
local configuration.
In later releases there is a file at:
  /etc/apparmor.d/local/abstractions/libvirt-qemu
Which shall help to add a rule without conflicts on conffiles at package 
updates.

I assume that you have started the domain without any vhost-net device, but 
then hotplugged one.
The rule for /dev/vhost-net is added on guest definition if a network device 
has VIR_DOMAIN_NET_BACKEND_TYPE_QEMU and virDomainNetIsVirtioModel.

That means if you start without any such device it won't be added at
startup and late rat hotplug you hit the reported error.

I'd need to check if any of the relabeling calls that we have registered
at virAppArmorSecurityDriver could be made detecting a vhost device and
adding that path in addition to what it was actually called for - maybe
the FD for the vhost-dev gets a labeling call?

For now please confirm my assumption on your setup before I hunt a red
herring in the code :-)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1815910

Title:
  Apparmor blocks access to /dev/vhost-net

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1815910/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to