Tried in some setups: - Focal - Groovy - Hirsute - Focal + the virt stack of Hirsute (via https://launchpad.net/~canonical-server/+archive/ubuntu/server-backports)
Results: - Focal - AA-Denial+Crash - Groovy - Ok - Hirsute - Ok - Focal+Vnew - AA-Denial+Crash So the results in my test-set are somewhat indicating a fix more in the rest of the system or maybe sssd - at least for the crash that I'm seeing :-/ The crazy part comes now and somewhat matches the mixed feedback I was getting from users on this bug. For example I was able to avoid the issue by adding the rule: echo "network unix dgram," | sudo tee -a /etc/apparmor.d/local/usr.sbin.libvirtd sudo apparmor_parser -r -W -T /etc/apparmor.d/usr.sbin.libvirtd sudo systemctl restart libvirtd # not strictly required, but to be sure But then removing the issue does not bring it back (Neither the denial nor the crash). I wondered if libvirt might cache something and only reach out (denied and broken) to nss/sssd if not present. In that case the apparmor rule would be needed to allow that. Trying to clear anything old to get back into the error state: echo "" | sudo tee /etc/apparmor.d/local/usr.sbin.libvirtd sudo apparmor_parser -r -W -T /etc/apparmor.d/usr.sbin.libvirtd sudo apt remove --purge libvirt-daemon sudo apt install libvirt-daemon-system And that worked to get it back to broken state. I don't see/know yet what fixed it in >=Groovy, but it isn't the same apparmor rule that we use here. Therefore it makes no sense applying the rule forward upstream or in new releases, but it might be a great avoidance for anyone affected to apply it in Focal's libvirt. We now have: - a repro case - a clear scope (just Focal, fixed later and not a problem before) - the libvirt profile being lenient before - libvirt is meant to be able to bind unix sockets I'll ask security if that is concerned to be a problem. ** Changed in: libvirt (Ubuntu) Status: Incomplete => Fix Released ** Changed in: libvirt (Ubuntu Focal) Status: Confirmed => Triaged ** Changed in: libvirt (Ubuntu Focal) Assignee: (unassigned) => Christian Ehrhardt (paelzer) ** Changed in: libvirt (Ubuntu Focal) Assignee: Christian Ehrhardt (paelzer) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1890858 Title: AppArmor profile causes QEMU/KVM - Not Connected To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1890858/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs