[libvirt PATCH] apparmor: Allow running /usr/libexec/qemu-kvm

Jim Fehlig jfehlig at suse.com
Thu Nov 3 14:24:37 UTC 2022 

On 11/3/22 05:13, Andrea Bolognani wrote:
> Distros that use AppArmor, such as Debian and Ubuntu, install
> QEMU under /usr/bin/qemu-system-*, and our AppArmor profile is
> written with that assumption in mind.
> 
> If you try to run the RHEL or CentOS version of libvirt and
> QEMU inside a privileged container on such distros, however,
> that will result in an error, because the path
> /usr/libexec/qemu-kvm is used instead.
> 
> In particular, this prevents upstream KubeVirt releases (which
> are based on CentOS) from running on Debian/Ubuntu nodes. See
> 
>    https://github.com/kubevirt/kubevirt/pull/8692
> 
> and the issues referenced therein for additional details.
> 
> Signed-off-by: Andrea Bolognani <abologna at redhat.com>
> ---
>   src/security/apparmor/usr.sbin.libvirtd.in  | 4 ++++
>   src/security/apparmor/usr.sbin.virtqemud.in | 4 ++++
>   2 files changed, 8 insertions(+)
> 
> diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in
> index 886f1ad518..2994de5ec9 100644
> --- a/src/security/apparmor/usr.sbin.libvirtd.in
> +++ b/src/security/apparmor/usr.sbin.libvirtd.in
> @@ -99,6 +99,10 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
>     # read and run an ebtables script.
>     /var/lib/libvirt/virtd* ixr,
>   
> +  # Needed when running the RHEL/CentOS version of libvirt and QEMU
> +  # inside a privileged container on a Debian/Ubuntu host
> +  /usr/libexec/qemu-kvm PUx,

Based on the comment, agree this should be explicit vs

@libexecdir@/qemu-kvm PUx,

> +
>     # force the use of virt-aa-helper
>     audit deny /{usr/,}sbin/apparmor_parser rwxl,
>     audit deny /etc/apparmor.d/libvirt/** wxl,
> diff --git a/src/security/apparmor/usr.sbin.virtqemud.in b/src/security/apparmor/usr.sbin.virtqemud.in
> index 3de03d49fc..b3f33b9471 100644
> --- a/src/security/apparmor/usr.sbin.virtqemud.in
> +++ b/src/security/apparmor/usr.sbin.virtqemud.in
> @@ -94,6 +94,10 @@ profile virtqemud @sbindir@/virtqemud flags=(attach_disconnected) {
>     # read and run an ebtables script.
>     /var/lib/libvirt/virtd* ixr,
>   
> +  # Needed when running the RHEL/CentOS version of libvirt and QEMU
> +  # inside a privileged container on a Debian/Ubuntu host
> +  /usr/libexec/qemu-kvm PUx,
> +
>     # force the use of virt-aa-helper
>     audit deny /{usr/,}sbin/apparmor_parser rwxl,
>     audit deny /etc/apparmor.d/libvirt/** wxl,

Do you also need the path in src/security/apparmor/libvirt-qemu?

Regards,
Jim

More information about the libvir-list mailing list