[Pkg-libvirt-maintainers] Bug#1081396: libvirt-daemon: AppArmor support for QEMU domains is (mostly silently) disabled unless libvirt-daemon-driver-lxc is installed
intrigeri
intrigeri at debian.org
Wed Sep 11 13:21:07 BST 2024
Package: libvirt-daemon
Version: 10.7.0-2
Severity: normal
If libvirt-daemon-driver-lxc is not installed, libvirtd logs this on startup:
libvirtd[2085]: internal error: template '/etc/apparmor.d/libvirt/TEMPLATE.lxc' does not exist
… and then apparently the logic to generate AppArmor profiles for QEMU VMs and
enforce them is disabled. That was not obvious to me: I thought "OK, I don't
have the LXC driver installed, so sure that file is missing, it's fine" and did
not guess this would break a previously working security feature.
I'm under the impression that this breakage happened recently, because just
a few weeks ago I had AppArmor denials break stuff for 1 of my VMs, so it must
have been working back then.
-- System Information:
Debian Release: trixie/sid
APT prefers unstable
APT policy: (990, 'unstable'), (2, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 6.10.9-amd64 (SMP w/12 CPU threads; PREEMPT)
Kernel taint flags: TAINT_USER
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages libvirt-daemon depends on:
ii libc6 2.40-2
ii libgcc-s1 14.2.0-4
ii libglib2.0-0t64 2.82.0-1
ii libtirpc3t64 1.3.4+ds-1.3
ii libvirt-common 10.7.0-2
ii libvirt-daemon-common 10.7.0-2
ii libvirt0 10.7.0-2
ii libxml2 2.12.7+dfsg-3+b1
ii logrotate 3.22.0-1
Versions of packages libvirt-daemon recommends:
ii libvirt-daemon-driver-interface 10.7.0-2
ii libvirt-daemon-driver-lxc 10.7.0-2
ii libvirt-daemon-driver-network 10.7.0-2
ii libvirt-daemon-driver-nodedev 10.7.0-2
ii libvirt-daemon-driver-nwfilter 10.7.0-2
ii libvirt-daemon-driver-qemu 10.7.0-2
ii libvirt-daemon-driver-secret 10.7.0-2
ii libvirt-daemon-driver-storage 10.7.0-2
ii libvirt-daemon-driver-storage-disk 10.7.0-2
ii libvirt-daemon-driver-storage-iscsi 10.7.0-2
ii libvirt-daemon-driver-storage-logical 10.7.0-2
ii libvirt-daemon-driver-storage-mpath 10.7.0-2
ii libvirt-daemon-driver-storage-scsi 10.7.0-2
pn libvirt-daemon-driver-vbox <none>
pn libvirt-daemon-driver-xen <none>
ii libvirt-daemon-lock 10.7.0-2
ii libvirt-daemon-log 10.7.0-2
ii libvirt-daemon-plugin-lockd 10.7.0-2
ii libvirt-daemon-plugin-sanlock 10.7.0-2
Versions of packages libvirt-daemon suggests:
pn libvirt-daemon-driver-storage-gluster <none>
pn libvirt-daemon-driver-storage-iscsi-direct <none>
pn libvirt-daemon-driver-storage-rbd <none>
pn libvirt-daemon-driver-storage-zfs <none>
ii libvirt-daemon-system 10.7.0-2
-- no debconf information
More information about the Pkg-libvirt-maintainers
mailing list