[Pkg-libvirt-maintainers] Bug#877926: libvirt-daemon-system: Can't start VMs with AppArmor enabled and Linux 4.13+

intrigeri at debian.org intrigeri at debian.org
Sat Oct 7 11:02:38 UTC 2017


Package: libvirt-daemon-system
Version: 3.7.0-4
Severity: normal
Tags: patch

Hi,

since I've upgraded to Linux 4.13 my VMs don't start anymore,
and virt-manager tells me "Error starting domain: internal error:
child reported: Kernel does not provide mount namespace: Permission
denied".

The logs say:

  apparmor="DENIED" operation="ptrace" profile="/usr/sbin/libvirtd" pid=19409 comm="libvirtd" requested_mask="trace" denied_mask="trace" peer="libvirt-14dcf3fa-a4d5-4c5a-82ea-3f624b44c7ef"

This (stolen from Ubuntu) fixes it:

--- a/apparmor.d/usr.sbin.libvirtd
+++ b/apparmor.d/usr.sbin.libvirtd
@@ -37,6 +37,9 @@
   network packet dgram,
   network packet raw,
 
+  # Grant bare ptrace
+  ptrace,
+
   # Very lenient profile for libvirtd since we want to first focus on confining
   # the guests. Guests will have a very restricted profile.
   / r,

Cheers,
-- 
intrigeri



More information about the Pkg-libvirt-maintainers mailing list