Thanks Jamie for providing an approach that is a compromise between upstreams needs and Ubuntu as a downstream - as well as at the same time being a tradeoff between comfort and security.
I'll implement this as a downstream change in 19.10: - add the comment to the config (thanks for writing it up) - change the code to allow it in any case But for older releases I'd decide that we don't want to change this through an SRU. There the solution for users who depend on it to add /dev/vhost-net rw, to If existing (>= 18.10) /etc/apparmor.d/local/abstractions/libvirt-qemu or otherwise to /etc/apparmor.d/abstractions/libvirt-qemu ** Also affects: libvirt (Ubuntu Disco) Importance: Undecided Status: In Progress ** Also affects: libvirt (Ubuntu Ee-series) Importance: Undecided Status: New ** Changed in: libvirt (Ubuntu Ee-series) Status: New => Triaged ** Changed in: libvirt (Ubuntu Disco) Status: In Progress => Won't Fix ** Changed in: libvirt (Ubuntu Cosmic) Status: Triaged => Won't Fix ** Changed in: libvirt (Ubuntu Bionic) Status: Triaged => Won't Fix ** Tags added: libvirt-19.10 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1815910 Title: Apparmor blocks access to /dev/vhost-net To manage notifications about this bug go to: https://bugs.launchpad.net/charm-nova-compute/+bug/1815910/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs