Repro: 1. Starting a new guest from which I dropped any network (e.g. created via uvtool)
2. Check the rendered profile - as expected there is no /dev/vhost-net $ cat /etc/apparmor.d/libvirt/$(virsh dominfo disco-test-vhost | awk '/^Security label:/ {print $3}').files # DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT. "/var/log/libvirt/**/disco-test-vhost.log" w, "/var/lib/libvirt/qemu/domain-disco-test-vhost/monitor.sock" rw, "/var/lib/libvirt/qemu/domain-1-disco-test-vhost/*" rw, "/var/run/libvirt/**/disco-test-vhost.pid" rwk, "/run/libvirt/**/disco-test-vhost.pid" rwk, "/var/run/libvirt/**/*.tunnelmigrate.dest.disco-test-vhost" rw, "/run/libvirt/**/*.tunnelmigrate.dest.disco-test-vhost" rw, "/var/lib/uvtool/libvirt/images/disco-test-vhost.qcow" rwk, "/var/lib/uvtool/libvirt/images/x-uvt-b64-Y29tLnVidW50dS5jbG91ZC5kYWlseTpzZXJ2ZXI6MTkuMDQ6YW1kNjQgMjAxOTAyMTA=" rk, "/var/lib/uvtool/libvirt/images/disco-test-vhost-ds.qcow" rwk, "/var/lib/libvirt/qemu/domain-1-disco-test-vhost/{,**}" rwk, "/var/lib/libvirt/qemu/channel/target/domain-1-disco-test-vhost/{,**}" rwk, "/var/lib/libvirt/qemu/domain-1-disco-test-vhost/master-key.aes" rwk, 3. try to hot add a vitio vhost-net device (and track dmesg) $ cat net.xml <interface type='network'> <mac address='52:54:00:f6:9a:47'/> <source network='default'/> <model type='virtio'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/> </interface> $ virsh attach-device disco-test-vhost net.xml error: Failed to attach device from net.xml error: internal error: unable to execute QEMU command 'getfd': No file descriptor supplied via SCM_RIGHTS And dmesg reports: audit: type=1400 audit(1550159090.042:133): apparmor="DENIED" operation="file_receive" profile="libvirt-236ce1b4-61fd-4aa5-8031-a4df09de5b32" name="/dev/vhost-net" pid=22374 comm="qemu-system-x86" requested_mask="wr" denied_mask="wr" fsuid=64055 ouid=0 That should be exactly your error, now lets check what security labeling calls are made ... -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1815910 Title: Apparmor blocks access to /dev/vhost-net To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1815910/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs