[Pkg-libvirt-maintainers] Bug#993856: Bug#993856: libvirt-daemon-system: vfio device passthrough fails with device pools due to apparmor profile

[Vasudev Kamath]

Hi Again,

Vasudev Kamath <vasudev at debian.org> writes:
>
> And the network configuration in libvirt domain looks like below
>
>     <interface type='network'>
>       <mac address='52:54:00:e1:5b:95'/>
>       <source network='passthrough'/>
>       <teaming type='transient' persistent='ua-backup0'/>
>       <address type='pci' domain='0x0000' bus='0x08' slot='0x00' function='0x0'/>
>     </interface>
>
> When I start the domain even though domain starts fine VF pass through does not happen and the following
> message is seen in the dmesg output
>
> [11236.601474] audit: type=1400 audit(1630925018.676:49): apparmor="DENIED" operation="open" profile="libvirt-e70e9c2c-110c-401c-982f-cb384d158471" name="/dev/vfio/315" pid=5929 comm=43505520382F4B564D requested_mask="wr" denied_mask="wr" fsuid=64055 ouid=64055
>
> and passthrough does not happen.

Just  wanted to add that this failure happens only with device pool
pass through which is handled by the libvirt. [1]. Normal hostdev pass
through which looks like below works just fine and apparmor does not
cause issue in this case.

    <interface type='hostdev' managed='yes'>
      <mac address='52:54:00:e1:5b:95'/>
      <source>
        <address type='pci' domain='0x0000' bus='0x18' slot='0x00' function='0x1'/>
      </source>
      <teaming type='transient' persistent='ua-backup0'/>
      <address type='pci' domain='0x0000' bus='0x07' slot='0x00' function='0x0'/>
    </interface>


[1] https://libvirt.org/formatnetwork.html

Best Regards,
Vasudev