[libvirt PATCH] apparmor: Allow running /usr/libexec/qemu-kvm

Daniel P. Berrangé berrange at redhat.com
Fri Nov 4 16:23:16 UTC 2022 

On Fri, Nov 04, 2022 at 10:21:53AM -0600, Jim Fehlig wrote:
> On 11/3/22 11:23, Daniel P. Berrangé wrote:
> > On Thu, Nov 03, 2022 at 12:35:15PM -0400, Andrea Bolognani wrote:
> > > On Thu, Nov 03, 2022 at 03:39:44PM +0100, Peter Krempa wrote:
> > > > On Thu, Nov 03, 2022 at 12:13:53 +0100, Andrea Bolognani wrote:
> > > > > Distros that use AppArmor, such as Debian and Ubuntu, install
> > > > > QEMU under /usr/bin/qemu-system-*, and our AppArmor profile is
> > > > > written with that assumption in mind.
> > > > > 
> > > > > If you try to run the RHEL or CentOS version of libvirt and
> > > > > QEMU inside a privileged container on such distros, however,
> > > > > that will result in an error, because the path
> > > > > /usr/libexec/qemu-kvm is used instead.
> > > > 
> > > > So IIUC by this patch you modify the profile which gets installed into
> > > > the Debian/Ubuntu host system by the Debian/Ubuntu package which then in
> > > > turn allows the non-Debian/Ubuntu libvirt in the container to do it's
> > > > job?
> > > 
> > > Pretty much.
> > > 
> > > > I'm basing the above on the fact that the RHEL/Centos package is
> > > > compiled with:
> > > > 
> > > >             -Dapparmor=disabled \
> > > >             -Dapparmor_profiles=disabled \
> > > >             -Dsecdriver_apparmor=disabled \
> > > > 
> > > > By extension, does that mean that you have to install libvirt on your
> > > > host so that you can in turn run a container (which I'd presume is
> > > > opaque) with libvirt bundled inside?
> > > 
> > > It's actually the other way around :)
> > > 
> > > If you don't have libvirt installed on the Debian/Ubuntu host, then
> > > the AppArmor profile won't be present and the containerized CentOS
> > > libvirt will be allowed to start the containerized CentOS QEMU.
> > > 
> > > If you *do* have libvirt installed on the Debian/Ubuntu host, then
> > > the AppArmor profile will also be applied to the containerized CentOS
> > > libvirt and running the containerized CentOS QEMU will be forbidden.
> > > 
> > > Patching the AppArmor policy is supposed to help with the second
> > > scenario.
> > 
> > I don't see how this can work properly.
> 
> Agree this scenario is a little suspect, but does this patch still have
> value? Is it possible to build/enable apparmor on a CentOS host, or is that
> impractical?

Anything's possible, but you'd be building a new kernel, and
creating packages for the apparmor library, and rebuilding
libvirt to enable apparmor too. Seems unlikely


With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

More information about the libvir-list mailing list