[Pkg-libvirt-maintainers] Bug#1092135: libvirt-daemon-driver-qemu: apparmor policy prevents using qemu pipewire plugin

Paul Aurich paul at debian.m.darkrain42.org
Sun Jan 5 01:43:59 GMT 2025 

Package: libvirt-daemon-driver-qemu
Version: 10.10.0-3
Severity: normal

<audio type="pipewire"> doesn't work with libvirt launching a qemu VM --
apparmor prevents qemu from reading pipewire's config files:

    error loading config '/usr/share/pipewire/client.conf': Permission denied

Full error from libvirt:

    Error starting domain: internal error: QEMU unexpectedly closed the monitor (vm='windows'): [W][00072.258380] pw.conf      | [          conf.c:  425 conf_load()] 0x56525efc1b90: error loading config '/usr/share/pipewire/client.conf': Permission denied
    [W][00072.258417] pw.conf      | [          conf.c: 1214 try_load_conf()] can't load config client.conf: Permission denied
    [E][00072.258425] pw.conf      | [          conf.c: 1243 pw_conf_load_conf_for_context()] can't load config client.conf: Permission denied
    2025-01-04T19:47:34.028540Z qemu-system-x86_64: Could not create PipeWire context: Permission denied

    Traceback (most recent call last):
      File "/usr/share/virt-manager/virtManager/asyncjob.py", line 71, in cb_wrapper
        callback(asyncjob, *args, **kwargs)
      File "/usr/share/virt-manager/virtManager/asyncjob.py", line 107, in tmpcb
        callback(*args, **kwargs)
      File "/usr/share/virt-manager/virtManager/object/libvirtobject.py", line 57, in newfn
        ret = fn(self, *args, **kwargs)
              ^^^^^^^^^^^^^^^^^^^^^^^^^
      File "/usr/share/virt-manager/virtManager/object/domain.py", line 1384, in startup
        self._backend.create()
      File "/usr/lib/python3/dist-packages/libvirt.py", line 1379, in create
        raise libvirtError('virDomainCreate() failed')
    libvirt.libvirtError: internal error: QEMU unexpectedly closed the monitor (vm='windows'): [W][00072.258380] pw.conf      | [          conf.c:  425 conf_load()] 0x56525efc1b90: error loading config '/usr/share/pipewire/client.conf': Permission denied
    [W][00072.258417] pw.conf      | [          conf.c: 1214 try_load_conf()] can't load config client.conf: Permission denied
    [E][00072.258425] pw.conf      | [          conf.c: 1243 pw_conf_load_conf_for_context()] can't load config client.conf: Permission denied
    2025-01-04T19:47:34.028540Z qemu-system-x86_64: Could not create PipeWire context: Permission denied


The pertinent bits of the domain XML:

<domain type="kvm">
[...]
  <devices>
    [...]
    <sound model="ich9">
      <address type="pci" domain="0x0000" bus="0x00" slot="0x1b" function="0x0"/>
    </sound>
    <audio id="1" type="pipewire" runtimeDir="/run/user/1000">
      <input name="qemuinput"/>
      <output name="qemuoutput"/>
    </audio>
    [...]
  </devices>
</domain>

I fixed this by adding an '#include <abstraction/audio>' to the libvirt-qemu
apparmor policy and then reloading apparmor:

    paul at redcloak ~ % cat /etc/apparmor.d/abstractions/libvirt-qemu.d/local-audio 
    # Allow libvirt QEMU VMs access to audio stuff (i.e. pipewire config files and
    # pipes)

    #include <abstractions/audio>
    paul at redcloak ~ %

(This also worked when included in the /etc/apparmor/libvirt/ file for
a specific VM).


I also had to add 'user = "paul"' into /etc/libvirt/qemu.conf, otherwise
libvirt reported:

    2025-01-05T01:22:07.268875Z qemu-system-x86_64: Failed to connect to PipeWire instance: Host is down

(I'm just mentioning that for sake of completeness.  I was expecting to need
to make that config change.)


-- System Information:
Debian Release: trixie/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing'), (450, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.12.6-amd64 (SMP w/16 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libvirt-daemon-driver-qemu depends on:
ii  adduser                     3.137
ii  debconf [debconf-2.0]       1.5.89
ii  libc6                       2.40-4
ii  libgcc-s1                   14.2.0-8
ii  libglib2.0-0t64             2.82.4-1
ii  libgnutls30t64              3.8.8-2
ii  libselinux1                 3.7-3+b1
ii  libvirt-common              10.10.0-3
ii  libvirt-daemon-log          10.10.0-3
ii  libvirt0                    10.10.0-3
ii  libxml2                     2.12.7+dfsg+really2.9.14-0.2+b1
ii  logrotate                   3.22.0-1
ii  qemu-system-x86 [qemu-kvm]  1:9.2.0+ds-2
ii  systemd-container           257.1-5

Versions of packages libvirt-daemon-driver-qemu recommends:
pn  passt        <none>
ii  swtpm        0.7.1-1.5
ii  swtpm-tools  0.7.1-1.5

Versions of packages libvirt-daemon-driver-qemu suggests:
ii  numad  0.5+20150602-8+b2

-- Configuration Files:
/etc/libvirt/qemu.conf [Errno 13] Permission denied: '/etc/libvirt/qemu.conf'

-- debconf information:
  libvirt-daemon-driver-qemu/id_warning: true

More information about the Pkg-libvirt-maintainers mailing list