[Pkg-libvirt-maintainers] Bug#1030926: libvirt-daemon-system: Wrong AppArmor definition for /usr/bin/qemu-system-i386

Charles Malaheenee malaheenee at gmx.fr
Thu Feb 9 11:16:34 GMT 2023 

Package: libvirt-daemon-system
Version: 9.0.0-1
Severity: normal
X-Debbugs-Cc: malaheenee at gmx.fr

Dear maintainer,

/usr/bin/qemu-system-i386 is included in /etc/apparmor.d/abstractions/libvirt-
qemu. But because it is just a wrapper, the real binary is /usr/libexec/qemu-
system-i386. Once you are trying to run an i386 VM, libvirt report "internal
error: process exited while connecting to monitor: /usr/bin/qemu-system-i386:
29: exec: /usr/libexec/qemu-system-i386: Permission denied".

The obvious solution is to add this binary to "abstractions" and reload
apparmor.

Not sure if it as an upstream bug or related to Debian package. We didn't use
this i386 machine for a while, it worked previously...

dmesg:
[  926.819853] audit: type=1400 audit(1675940937.111:42): apparmor="DENIED"
operation="exec" profile="libvirt-e66e81f4-a0de-417a-b8f7-6d699f1108e7"
name="/usr/libexec/qemu-system-i386" pid=5543 comm="qemu-system-i38"
requested_mask="x" denied_mask="x" fsuid=64055 ouid=0

libvirtd.log:
2023-02-09 11:08:57.016+0000: starting up libvirt version: 9.0.0, package: 1
(Andrea Bolognani <eof at kiyuko.org> Sat, 28 Jan 2023 17:03:53 +0100), qemu
version: 7.2.0Debian 1:7.2+dfsg-2, kernel: 6.1.0-3-amd64, hostname: big-
pc.home.
ca
LC_ALL=C \
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin \
HOME=/var/lib/libvirt/qemu/domain-3-2k.windows.malaheene \
XDG_DATA_HOME=/var/lib/libvirt/qemu/domain-3-2k.windows.malaheene/.local/share
\
XDG_CACHE_HOME=/var/lib/libvirt/qemu/domain-3-2k.windows.malaheene/.cache \
XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain-3-2k.windows.malaheene/.config \
/usr/bin/qemu-system-i386 \
-name guest=2k.windows.malaheenee.ca,debug-threads=on \
-S \
-object '{"qom-
type":"secret","id":"masterKey0","format":"raw","file":"/var/lib/libvirt/qemu/domain-3-2k.windows.malaheene/master-
key.aes"}' \
-machine pc-i440fx-1.4,usb=off,vmport=off,dump-guest-core=off,memory-
backend=pc.ram \
-accel kvm \
-cpu pentium3,hv-time=on,hv-relaxed=on,hv-vapic=on,hv-spinlocks=0x1fff \
-m 256 \
-object '{"qom-type":"memory-backend-ram","id":"pc.ram","size":268435456}' \
-overcommit mem-lock=off \
-smp 1,sockets=1,cores=1,threads=1 \
-uuid e66e81f4-a0de-417a-b8f7-6d699f1108e7 \
-no-user-config \
-nodefaults \
-chardev socket,id=charmonitor,fd=31,server=on,wait=off \
-mon chardev=charmonitor,id=monitor,mode=control \
-rtc base=localtime,driftfix=slew \
-global kvm-pit.lost_tick_policy=delay \
-no-hpet \
-no-shutdown \
-global PIIX4_PM.disable_s3=1 \
-global PIIX4_PM.disable_s4=1 \
-boot strict=on \
-device '{"driver":"pci-ohci","id":"usb","bus":"pci.0","addr":"0x3"}' \
-device '{"driver":"virtio-serial-pci","id":"virtio-
serial0","bus":"pci.0","addr":"0x7"}' \
-global isa-fdc.bootindexA=1 \
-blockdev
'{"driver":"file","filename":"/home/libvirt/pool/2k.windows.qcow2","aio":"native","node-
name":"libvirt-3-storage","cache":{"direct":true,"no-flush":false},"auto-read-
only":true,"discard":"unmap"}' \
-blockdev '{"node-name":"libvirt-3-format","read-
only":false,"cache":{"direct":true,"no-
flush":false},"driver":"qcow2","file":"libvirt-3-storage","backing":null}' \
-device '{"driver":"ide-
hd","bus":"ide.0","unit":0,"drive":"libvirt-3-format","id":"ide0-0-0","bootindex":3,"write-
cache":"on"}' \
-device '{"driver":"ide-
cd","bus":"ide.1","unit":0,"id":"ide0-1-0","bootindex":2}' \
-device '{"driver":"floppy","unit":0,"id":"fdc0-0-0"}' \
-netdev '{"type":"tap","fd":"32","id":"hostnet0"}' \
-device
'{"driver":"rtl8139","netdev":"hostnet0","id":"net0","mac":"52:54:00:10:06:02","bus":"pci.0","addr":"0x5"}'
\
-chardev spicevmc,id=charchannel0,name=vdagent \
-device '{"driver":"virtserialport","bus":"virtio-
serial0.0","nr":1,"chardev":"charchannel0","id":"channel0","name":"com.redhat.spice.0"}'
\
-device '{"driver":"usb-tablet","id":"input2","bus":"usb.0","port":"1"}' \
-audiodev '{"id":"audio1","driver":"spice"}' \
-spice port=5900,addr=127.0.0.1,disable-ticketing=on,image-
compression=off,seamless-migration=on \
-k en-us \
-device '{"driver":"cirrus-vga","id":"video0","bus":"pci.0","addr":"0x4"}' \
-device
'{"driver":"AC97","id":"sound0","audiodev":"audio1","bus":"pci.0","addr":"0x6"}'
\
-chardev spicevmc,id=charredir0,name=usbredir \
-device '{"driver":"usb-
redir","chardev":"charredir0","id":"redir0","bus":"usb.0","port":"2"}' \
-chardev spicevmc,id=charredir1,name=usbredir \
-device '{"driver":"usb-
redir","chardev":"charredir1","id":"redir1","bus":"usb.0","port":"3"}' \
-device '{"driver":"virtio-balloon-
pci","id":"balloon0","bus":"pci.0","addr":"0x8"}' \
-sandbox
on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \
-msg timestamp=on
2023-02-09 11:08:57.016+0000: Domain id=3 is tainted: deprecated-config
(machine type 'pc-i440fx-1.4')
/usr/bin/qemu-system-i386: 29: exec: /usr/libexec/qemu-system-i386: Permission
denied
2023-02-09 11:08:57.152+0000: shutting down, reason=failed



-- System Information:
Debian Release: bookworm/sid
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'oldstable-updates'), (500, 'oldoldstable'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-3-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), LANGUAGE=en_CA:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libvirt-daemon-system depends on:
ii  adduser                         3.131
ii  debconf [debconf-2.0]           1.5.82
ii  gettext-base                    0.21-11
ii  iptables                        1.8.9-2
ii  libvirt-clients                 9.0.0-1
ii  libvirt-daemon                  9.0.0-1
ii  libvirt-daemon-config-network   9.0.0-1
ii  libvirt-daemon-config-nwfilter  9.0.0-1
ii  libvirt-daemon-system-systemd   9.0.0-1
ii  logrotate                       3.21.0-1
ii  polkitd                         122-3

Versions of packages libvirt-daemon-system recommends:
ii  dmidecode                    3.4-1
ii  dnsmasq-base [dnsmasq-base]  2.89-1
ii  iproute2                     6.1.0-1
pn  mdevctl                      <none>
ii  parted                       3.5-3

Versions of packages libvirt-daemon-system suggests:
ii  apparmor    3.0.8-2+b1
pn  auditd      <none>
ii  nfs-common  1:2.6.2-4
pn  open-iscsi  <none>
pn  pm-utils    <none>
ii  systemd     252.5-2
pn  systemtap   <none>
pn  zfsutils    <none>

-- Configuration Files:
/etc/libvirt/qemu.conf [Errno 13] Permission denied: '/etc/libvirt/qemu.conf'

-- debconf information:
  libvirt-daemon-system/id_warning: true

More information about the Pkg-libvirt-maintainers mailing list