[Pkg-libvirt-maintainers] Bug#1081396: libvirt-daemon: AppArmor support for QEMU domains is (mostly silently) disabled unless libvirt-daemon-driver-lxc is installed

intrigeri intrigeri at debian.org
Wed Sep 11 13:21:07 BST 2024 

Package: libvirt-daemon
Version: 10.7.0-2
Severity: normal

If libvirt-daemon-driver-lxc is not installed, libvirtd logs this on startup:

  libvirtd[2085]: internal error: template '/etc/apparmor.d/libvirt/TEMPLATE.lxc' does not exist

… and then apparently the logic to generate AppArmor profiles for QEMU VMs and
enforce them is disabled. That was not obvious to me: I thought "OK, I don't
have the LXC driver installed, so sure that file is missing, it's fine" and did
not guess this would break a previously working security feature.

I'm under the impression that this breakage happened recently, because just
a few weeks ago I had AppArmor denials break stuff for 1 of my VMs, so it must
have been working back then.

-- System Information:
Debian Release: trixie/sid
  APT prefers unstable
  APT policy: (990, 'unstable'), (2, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 6.10.9-amd64 (SMP w/12 CPU threads; PREEMPT)
Kernel taint flags: TAINT_USER
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libvirt-daemon depends on:
ii  libc6                  2.40-2
ii  libgcc-s1              14.2.0-4
ii  libglib2.0-0t64        2.82.0-1
ii  libtirpc3t64           1.3.4+ds-1.3
ii  libvirt-common         10.7.0-2
ii  libvirt-daemon-common  10.7.0-2
ii  libvirt0               10.7.0-2
ii  libxml2                2.12.7+dfsg-3+b1
ii  logrotate              3.22.0-1

Versions of packages libvirt-daemon recommends:
ii  libvirt-daemon-driver-interface        10.7.0-2
ii  libvirt-daemon-driver-lxc              10.7.0-2
ii  libvirt-daemon-driver-network          10.7.0-2
ii  libvirt-daemon-driver-nodedev          10.7.0-2
ii  libvirt-daemon-driver-nwfilter         10.7.0-2
ii  libvirt-daemon-driver-qemu             10.7.0-2
ii  libvirt-daemon-driver-secret           10.7.0-2
ii  libvirt-daemon-driver-storage          10.7.0-2
ii  libvirt-daemon-driver-storage-disk     10.7.0-2
ii  libvirt-daemon-driver-storage-iscsi    10.7.0-2
ii  libvirt-daemon-driver-storage-logical  10.7.0-2
ii  libvirt-daemon-driver-storage-mpath    10.7.0-2
ii  libvirt-daemon-driver-storage-scsi     10.7.0-2
pn  libvirt-daemon-driver-vbox             <none>
pn  libvirt-daemon-driver-xen              <none>
ii  libvirt-daemon-lock                    10.7.0-2
ii  libvirt-daemon-log                     10.7.0-2
ii  libvirt-daemon-plugin-lockd            10.7.0-2
ii  libvirt-daemon-plugin-sanlock          10.7.0-2

Versions of packages libvirt-daemon suggests:
pn  libvirt-daemon-driver-storage-gluster       <none>
pn  libvirt-daemon-driver-storage-iscsi-direct  <none>
pn  libvirt-daemon-driver-storage-rbd           <none>
pn  libvirt-daemon-driver-storage-zfs           <none>
ii  libvirt-daemon-system                       10.7.0-2

-- no debconf information

More information about the Pkg-libvirt-maintainers mailing list