[Pkg-libvirt-maintainers] Bug#924418: libvirt-daemon-system: apparmor prevents libvirtd from spawning VMs (Confirmed on Debian Trixie 11.3.0-3)

Nobody Knows reportbugs-debian.blazing686 at passmail.net
Fri Oct 24 20:58:14 BST 2025 

Package: libvirt-daemon-system
Version: 11.3.0-3
Followup-For: Bug #924418
X-Debbugs-Cc: reportbugs-debian.blazing686 at passmail.net

Dear Maintainer,

(Please note: reportbug indicated newer versions 11.8.0-1/2 exist in testing/unstable. This report confirms the bug is present in version 11.3.0-3 as currently installed on my Debian Trixie system.)

I am experiencing an issue on Debian Trixie where libvirtd fails to start QEMU/KVM virtual machines that require UEFI and TPM 2.0 (like Windows 11), seemingly due to an AppArmor integration problem. Both gnome-boxes and virt-manager fail.

**Symptoms:**

1.  Using gnome-boxes: Attempting to create a Windows 11 VM fails with the generic error "incapable host system".
2.  Using virt-manager: Attempting to create the same VM fails repeatedly with a specific libvirt error: "internal error: cannot load AppArmor profile 'libvirt-[UUID]'" (where [UUID] is dynamically generated).

**System Configuration & Prerequisites Confirmed:**

* Debian Trixie (Testing) is up to date (Kernel 6.12.48+deb13-amd64).
* CPU virtualization (VT-x/AMD-V) is enabled and detected.
* Required packages `qemu-system-x86`, `libvirt-daemon-system` (11.3.0-3), `virt-manager`, `ovmf`, and `swtpm-tools` are installed.
* User is added to `libvirt` and `kvm` groups.
* AppArmor is active. `aa-status` shows `libvirtd` and `virt-aa-helper` profiles loaded in enforce mode.

**Debugging Steps Taken & Findings:**

1.  Setting the `/etc/apparmor.d/usr.sbin.libvirtd` profile to complain mode (`sudo aa-complain ...`) **did not** resolve the "cannot load AppArmor profile" error in virt-manager. Profile was returned to enforce mode afterwards.
2.  Identified the helper binary at `/usr/lib/libvirt/virt-aa-helper` and its profile `/etc/apparmor.d/usr.lib.libvirt.virt-aa-helper`.
3.  Setting the `/etc/apparmor.d/usr.lib.libvirt.virt-aa-helper` profile to complain mode **did not** resolve the error, and `sudo dmesg | grep apparmor=\\"DENIED\\"` showed **no DENIED messages** related to virt-aa-helper or apparmor_parser during the failed VM startup attempt. This indicates the failure is likely not a simple permission denial. Profile was returned to enforce mode afterwards.
4.  The default `virt-aa-helper` profile contains the rule `/{usr/,}{s,}bin/apparmor_parser Ux,`. Modifying this rule to use `Px` (`/{usr/,}{s,}bin/apparmor_parser Px,`) caused AppArmor service reload to fail due to "conflicting x modifiers", indicating `Px` is likely incorrect or incompatible here. The rule was reverted to `Ux`.

**Successful (but Insecure) Workaround:**

* The *only* way found to successfully start the VM was by explicitly disabling AppArmor confinement for QEMU. This was achieved by adding the line `security_driver = "none"` to `/etc/libvirt/qemu.conf` and restarting `libvirtd.service`. This strongly indicates the bug lies within the libvirt-AppArmor interaction for dynamic profile loading.

**Hypothesis:**

There appears to be a bug in how libvirtd/virt-aa-helper attempts to generate and load the dynamic AppArmor profile for the QEMU VM process on Debian Trixie 11.3.0-3. This failure occurs even with complain mode enabled and is not resolved by the standard `Ux` execute permission for `apparmor_parser` within the helper's profile. The failure mode suggests an issue deeper than simple rule denial, potentially related to profile transition or interaction with the kernel API.

Please let me know if any further logs or testing are required.

Thank you for maintaining libvirt.


-- System Information:
Debian Release: 13.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.12.48+deb13-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libvirt-daemon-system depends on:
ii  libvirt-clients                 11.3.0-3
ii  libvirt-common                  11.3.0-3
ii  libvirt-daemon                  11.3.0-3
ii  libvirt-daemon-common           11.3.0-3
ii  libvirt-daemon-config-network   11.3.0-3
ii  libvirt-daemon-config-nwfilter  11.3.0-3
ii  libvirt-daemon-driver-network   11.3.0-3
ii  libvirt-daemon-driver-nodedev   11.3.0-3
ii  libvirt-daemon-driver-nwfilter  11.3.0-3
ii  libvirt-daemon-driver-qemu      11.3.0-3
ii  libvirt-daemon-driver-secret    11.3.0-3
ii  libvirt-daemon-driver-storage   11.3.0-3
ii  libvirt-daemon-log              11.3.0-3
ii  libvirt0                        11.3.0-3

libvirt-daemon-system recommends no packages.

libvirt-daemon-system suggests no packages.

-- no debconf information

More information about the Pkg-libvirt-maintainers mailing list