[pkg-apparmor] [Pkg-libvirt-maintainers] Bug#889150: libvirt-daemon-system: Please provide updated AppArmor profiles for stretch or stretch-backports

[Guido Günther]

Hi,
On Fri, Feb 02, 2018 at 06:54:20PM +0100, Hilko Bengen wrote:
> Package: libvirt-daemon-system
> Version: 3.0.0-4+deb9u1
> Severity: normal
> 
> Hi,
> 
> on a Debian/stretch system with a current kernel from stretch-backports,
> I tried putting together a qemu/libvirtd/virt-manager setup and noticed
> that libvirt was not able to properly shut down VMs that it had started.
> 
> The problem was observable in at least two ways:
> 
> (1) Triggering the "shut down" action from virt-manager leads to a
> Windows VM showing the shutdown screen, the mouse cursor can no longer
> be moved. Typing "list" in virsh tells me that the VM is in state "in
> shutdown".
> 
> (2) Typing "destroy $NAME" in virsh produces an error message:
> ,----
> | error: Failed to destroy domain $NAME
> | error: Failed to terminate process $PID with SIGTERM: Permission denied
> `----
> 
> Manually killing the qemu process and repeating the "destroy" command
> leads to the desired result (state "shut off").
> 
> From the audit log, it is clear that AppArmor (which is enabled by
> default in the kernel from stretch-backports) prevents the delivery of
> signals. I was able to fix the issue for myself by using
> /etc/apparmor.d/* from a newer libvirt-daemon-system version (3.10.0-1).
> 
> Please consider doing at least one of the following:
> - an update of the AppArmor profile through proposed-updates and the
>   next point release
> - an update of libvirt via stretch-backports.
> 
> I am willing to help with either solution.

We have a stable update pending

    https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887855

so this would fit but IMHO backported kernels should not turn on these
features by default (signal and ptrace). I'm not sure what would be the
best way to do this (either apparmor or the kernel package) so cc'ing
the apparmor maintainers.
Cheers,
 -- Guido