[PATCH 0/4] virt-aa-helper: Add new option to remove corrupted

Christian Ehrhardt christian.ehrhardt at canonical.com
Mon Oct 11 05:56:49 UTC 2021 

On Thu, Oct 7, 2021 at 7:25 PM Ioanna Alifieraki
<ioanna-maria.alifieraki at canonical.com> wrote:
>
> This patch-series aims to address the bug reported in [1] and [2].
>
> Bug description :
> Some times libvirt fails to start a vm with the following error :
> libvirt: error : unable to set AppArmor profile 'libvirt-b05b297f-952f-42d6-b04e-f9a13767db54' for '/usr/bin/kvm-spice': No such file or directory
> This happens because file /etc/apparmor.d/libvirt/libvirt-<vm-uuid> has 0 size.
> During the vm start-up virt-aa-helper tries to load the profile and because it is 0 it fails.
> When file /etc/apparmor.d/libvirt/libvirt-<vm-uuid> is removed the vm can start without problems.
>
> To address this issue this patch-series suggests the following.
> On the vm start-up check if the profile has 0 size and if this is the case
> remove it and create it again.
> To do so a new option (-P) is introduced and also create and remove profile
> fuctionalities are placed into separate functions.
>
> The first commit moves create and remove functionlites into functinos for later
> reuse from different places.
> The second commit adds a new option (-P) to remove the profile file.
> The thid commit implements the actual fix (check if the profile has 0 size and if
> so remove it and create it again).
> The fourth patch adds a test for the above fix.

I'm generally +1 on the overall approach and wanted to thank you for
working on this.
It will fix a rare but real issue.

Jan had a few requests on 3/4 that all seemed reasonable suggestions,
will you submit a v2 addressing those?

> [1] https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1927519
> [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=890084
>
> Ioanna Alifieraki (4):
>   virt-aa-helper: Move create and remove profile into separate functions
>   virt-aa-helper: Add new purge (-P) option
>   virt-aa-helper: Purge profile if corrupted
>   virt-aa-helper: test: add test for new option -P
>
>  src/security/virt-aa-helper.c | 87 ++++++++++++++++++++++++++---------
>  tests/meson.build             |  1 +
>  tests/virt-aa-helper-test     | 29 ++++++++++++
>  3 files changed, 96 insertions(+), 21 deletions(-)
>
> --
> 2.17.1
>


--
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd

More information about the libvir-list mailing list