[pkg-apparmor] Bug#979964: Apparmor bpf and perfmon capname denial when creating a libvirt VM

Simon Kobyda skobyda at redhat.com
Tue Jan 12 11:33:21 GMT 2021 

Package: apparmor
Version: 2.13.6-3

-- System information:
Linux debian 5.9.0-5-cloud-amd64 #1 SMP Debian 5.9.15-1 (2020-12-17)
x86_64 GNU/Linux

When creating a new VM on a clean instance of debian bullseye,  the
following apparmor denial is printed to /var/log/kern.log:
Jan 12 11:16:08 debian kernel: [   19.023700] audit: type=1400
audit(1610450168.832:25): apparmor="STATUS" operation="profile_load"
profile="unconfined" name="libvirt-bf21a734-8f15-42ac-aa5d-
83e1db193668" pid=2324 comm="apparmor_parser"
Jan 12 11:16:08 debian kernel: [   19.150232] audit: type=1400
audit(1610450168.956:26): apparmor="STATUS" operation="profile_replace"
profile="unconfined" name="libvirt-bf21a734-8f15-42ac-aa5d-
83e1db193668" pid=2332 comm="apparmor_parser"
Jan 12 11:16:09 debian kernel: [   19.276418] audit: type=1400
audit(1610450169.084:27): apparmor="STATUS" operation="profile_replace"
profile="unconfined" name="libvirt-bf21a734-8f15-42ac-aa5d-
83e1db193668" pid=2336 comm="apparmor_parser"
Jan 12 11:16:09 debian kernel: [   19.405932] audit: type=1400
audit(1610450169.212:28): apparmor="STATUS" operation="profile_replace"
info="same as current profile, skipping" profile="unconfined"
name="libvirt-bf21a734-8f15-42ac-aa5d-83e1db193668" pid=2340
comm="apparmor_parser"
Jan 12 11:16:09 debian kernel: [   19.500732] audit: type=1400
audit(1610450169.308:29): apparmor="DENIED" operation="capable"
profile="libvirtd" pid=1931 comm="rpc-worker"
capability=39  capname="bpf"
Jan 12 11:16:09 debian kernel: [   19.503459] audit: type=1400
audit(1610450169.312:30): apparmor="DENIED" operation="capable"
profile="libvirtd" pid=1931 comm="rpc-worker"
capability=38  capname="perfmon"

I see that capabilities PERFMON and BPF has been merged to apparmor as
of version 2.13 , so that's why this denial showed up now.

You can recreate it by running these commands, which will create an
empty VM:
1. echo "<domain type='qemu'><name>testVm</name><os><type
arch='x86_64'>hvm</type></os><memory unit='MiB'>128</memory></domain>"
> /tmp/xml
2. virsh define /tmp/xml
3. virsh start testVm

More information about the pkg-apparmor-team mailing list