[Pkg-libvirt-maintainers] Bug#1077915: libvirt-daemon-system: update /etc/apparmor.d/usr.sbin.libvirtd because of move of qemu-bridge-helper
Michael Ott
michael at k-c13.org
Sun Aug 4 13:12:54 BST 2024
Package: libvirt-daemon-system
Version: 10.5.0-1
Severity: important
Dear Maintainer,
After the last update of qemu to 1:9.0.2+ds-2 qemu-bridge-helper is moved from
/usr/lib/qemu/qemu-bridge-helper to /usr/libexec/qemu/qemu-bridge-helper. I
have to update /etc/apparmor.d/usr.sbin.libvirtd and rerun apparmor_parser
After that it works again
-- System Information:
Debian Release: trixie/sid
APT prefers unstable
APT policy: (710, 'unstable'), (670, 'testing'), (660, 'experimental'), (600, 'stable'), (500, 'stable-security'), (500, 'oldstable-security')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, armhf, arm64
Kernel: Linux 6.9.12-amd64 (SMP w/20 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages libvirt-daemon-system depends on:
ii adduser 3.137
ii debconf [debconf-2.0] 1.5.87
ii gettext-base 0.22.5-2
ii iptables 1.8.10-4
ii libvirt-clients 10.5.0-1
ii libvirt-daemon 10.5.0-1
ii libvirt-daemon-config-network 10.5.0-1
ii libvirt-daemon-config-nwfilter 10.5.0-1
ii libvirt-daemon-system-systemd 10.5.0-1
ii libvirt0 10.5.0-1
ii logrotate 3.22.0-1
ii polkitd 124-3
Versions of packages libvirt-daemon-system recommends:
ii dmidecode 3.6-1
ii dnsmasq-base [dnsmasq-base] 2.90-4
ii iproute2 6.10.0-1
ii mdevctl 1.3.0-2.1
ii parted 3.6-4
Versions of packages libvirt-daemon-system suggests:
ii apparmor 3.1.7-1+b1
pn auditd <none>
ii nfs-common 1:2.6.4-5
pn open-iscsi <none>
pn pm-utils <none>
ii systemd 256.4-2
pn systemtap <none>
pn zfsutils <none>
-- Configuration Files:
/etc/apparmor.d/usr.sbin.libvirtd changed:
@{LIBVIRT}="libvirt"
profile libvirtd /usr/sbin/libvirtd flags=(attach_disconnected) {
#include <abstractions/base>
#include <abstractions/dbus>
capability kill,
capability net_admin,
capability net_raw,
capability setgid,
capability sys_admin,
capability sys_module,
capability sys_ptrace,
capability sys_pacct,
capability sys_nice,
capability sys_chroot,
capability setuid,
capability dac_override,
capability dac_read_search,
capability fowner,
capability chown,
capability setpcap,
capability mknod,
capability fsetid,
capability audit_write,
capability ipc_lock,
capability sys_rawio,
capability bpf,
capability perfmon,
# Needed for vfio
capability sys_resource,
mount options=(rw,rslave) -> /,
mount options=(rw, nosuid) -> /{var/,}run/libvirt/qemu/*.dev/,
umount /{var/,}run/libvirt/qemu/*.dev/,
umount /dev/,
# libvirt provides any mounts under /dev to qemu namespaces
mount options=(rw, move) /dev/ -> /{,var/}run/libvirt/qemu/*.dev/,
mount options=(rw, move) /dev/** -> /{,var/}run/libvirt/qemu/*{,/},
mount options=(rw, move) /{,var/}run/libvirt/qemu/*.dev/ -> /dev/,
mount options=(rw, move) /{,var/}run/libvirt/qemu/*{,/} -> /dev/**,
network inet stream,
network inet dgram,
network inet6 stream,
network inet6 dgram,
network netlink raw,
network packet dgram,
network packet raw,
# for --p2p migrations
unix (send, receive) type=stream addr=none peer=(label=unconfined addr=none),
ptrace (read,trace) peer=unconfined,
ptrace (read,trace) peer=@{profile_name},
ptrace (read,trace) peer=dnsmasq,
ptrace (read,trace) peer=/usr/sbin/dnsmasq,
ptrace (read,trace) peer=libvirt-*,
ptrace (read,trace) peer=swtpm,
signal (send) peer=dnsmasq,
signal (send) peer=/usr/sbin/dnsmasq,
signal (read, send) peer=libvirt-*,
signal (send) set=("kill", "term") peer=unconfined,
# For communication/control to qemu-bridge-helper
unix (send, receive) type=stream addr=none peer=(label=libvirtd//qemu_bridge_helper),
signal (send) set=("term") peer=libvirtd//qemu_bridge_helper,
# allow connect with openGraphicsFD, direction reversed in newer versions
unix (send, receive) type=stream addr=none peer=(label=libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*),
# unconfined also required if guests run without security module
unix (send, receive) type=stream addr=none peer=(label=unconfined),
# required if guests run unconfined seclabel type='none' but libvirtd is confined
signal (read, send) peer=unconfined,
# Very lenient profile for libvirtd since we want to first focus on confining
# the guests. Guests will have a very restricted profile.
/ r,
/** rwmkl,
/bin/* PUx,
/sbin/* PUx,
/usr/bin/* PUx,
/usr/sbin/virtlogd pix,
/usr/sbin/* PUx,
/{usr/,}lib/udev/scsi_id PUx,
/usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
/usr/{lib,lib64,libexec}/xen/bin/* Ux,
/usr/{lib,libexec}/xen-*/bin/libxl-save-helper PUx,
/usr/{lib,libexec}/xen-*/bin/pygrub PUx,
/usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu PUx,
/usr/{lib,lib64,lib/qemu,libexec}/virtiofsd PUx,
# Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to
# read and run an ebtables script.
/var/lib/libvirt/virtd* ixr,
# force the use of virt-aa-helper
audit deny /{usr/,}sbin/apparmor_parser rwxl,
audit deny /etc/apparmor.d/libvirt/** wxl,
audit deny /sys/kernel/security/apparmor/features rwxl,
audit deny /sys/kernel/security/apparmor/matching rwxl,
audit deny /sys/kernel/security/apparmor/.* rwxl,
/sys/kernel/security/apparmor/profiles r,
/usr/lib/libvirt/* PUxr,
/usr/lib/libvirt/libvirt_parthelper ix,
/usr/lib/libvirt/libvirt_iohelper ix,
/etc/libvirt/hooks/** rmix,
/etc/xen/scripts/** rmix,
# allow changing to our UUID-based named profiles
change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
/usr/{lib,lib64,lib/qemu,libexec/qemu,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
# child profile for bridge helper process
profile qemu_bridge_helper {
#include <abstractions/base>
capability setuid,
capability setgid,
capability setpcap,
capability net_admin,
network inet stream,
# For communication/control from libvirtd
unix (send, receive) type=stream addr=none peer=(label=libvirtd),
signal (receive) set=("term") peer=/usr/sbin/libvirtd,
signal (receive) set=("term") peer=libvirtd,
/dev/net/tun rw,
/etc/qemu/** r,
owner @{PROC}/*/status r,
/usr/{lib,lib64,lib/qemu,libexec/qemu,libexec}/qemu-bridge-helper rmix,
}
include if exists <local/usr.sbin.libvirtd>
}
/etc/libvirt/qemu.conf [Errno 13] Permission denied: '/etc/libvirt/qemu.conf'
-- debconf information:
libvirt-daemon-system/id_warning: true
More information about the Pkg-libvirt-maintainers
mailing list