** Description changed: + [Impact] + + * New GL handling code in qemu/libs triggers apparmor denials in + Jammy and later + + * Libvirt already has code that does context aware "if gl is + enabled then allow things". The patch extends those by the + new paths it needs to access. + + [Test Plan] + + * In your preferred way get a guest of your choice that has UI support, + for example Ubuntu Desktop + + * Set virtio graphics and Enable GL acceleration. + Essentially this comes down to those elements: + <video> + <model type='virtio'/> + <driver name='qemu'/> + </video> + <graphics type='spice'> + <listen type='socket'/> + <gl enable='yes'/> + </graphics) + There are various similar equally valid variants that you + can configure this. + You can do the same via the virt-manager Ui if you prefer that. + + Without the fix that will trigger apparmor denials and not show the + Display correctly. + + [Where problems could occur] + + * This is just "allowing more" to be read out of the apparmor isolation, + therefore I'd hope that regressions are not happening. The scenarios I + could think of are: + 1. a user of Jammy set this up, wasn't really using GL and after the + fix suddenly gets unexpected UI output (unlikely, and not really a + problem) + 2. The paths would be considered unsafe to be read by the guest and + thereby be a problem (that is not the case as far as we know so far) + 3. There might be a missed issue in the changed code, breaking + virt-aa-helper (the nature of the change makes this unlikely, it + isn't too complex) and that would stop starting new guests. + They'd fail with an apparmor related message then. + + None of the above seems realistic or critical to me, I think we are safe with this change. + + [Other Info] + + * n/a + + --- original bug --- + + Also filed upstream: https://gitlab.com/libvirt/libvirt/-/merge_requests/151 I recently upgraded from Ubuntu 21.10 to 22.04. I have an existing VM with virtio video and gl-accelerated Spice display which previously worked. After the upgrade, virt-manager and virt-viewer display a blank screen. In the qemu libvirt logs, I observe many repetitions of: qemu_spice_gl_scanout_texture: failed to get fd for texture dmesg contains these AppArmor errors: [250001.100362] audit: type=1400 audit(1651958128.696:706): apparmor="DENIED" operation="open" profile="libvirt-98a090a8-2fdf-463c-959b-810e5bc88b0d" name="/sys/devices/pci0000:00/0000:00:02.0/revision" pid=132725 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 [250001.100367] audit: type=1400 audit(1651958128.696:707): apparmor="DENIED" operation="open" profile="libvirt-98a090a8-2fdf-463c-959b-810e5bc88b0d" name="/sys/devices/pci0000:00/0000:00:02.0/config" pid=132725 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 Modifying the AppArmor config for this VM to permit access to the `revision` and `config` sysfs paths fixed this issue for me. The VM display is visible and virgl is working. I was able to do so by adding the following line: "/sys/devices/**/{uevent,vendor,device,subsystem_vendor,subsystem_device,config,revision}" r,
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1972075 Title: Blank screen when viewing GL-accelerated virtio screen on 22.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1972075/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
