apparmor denies VFIO passthrough: RLIMIT_MEMLOCK and /dev/vfio/XX
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libvirt (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Trusty |
Fix Released
|
High
|
Unassigned |
Bug Description
=======
SRU Justification:
Impact: VFIO passthrough does not work with libvirt
Test case: See "example xml" below
Regression potential: This only adds permission for qemu to access /dev/vfio* when needed, plus cap_sys_resource for libvirtd. No currently working case should be regressed.
=======
When using VFIO for passthrough devices, 2 apparmor violations are encountered:
1) all memory of the VM must be locked, libvirt tries to increase RLIMIT_MEMLOCK
2) access to /dev/vfio/XX is needed by qemu
example xml:
<hostdev mode='subsystem' type='pci' managed='yes'>
<driver name='vfio'/>
<source>
<address domain='0x0000' bus='0x03' slot='0x00' function='0x1'/>
</source>
</hostdev>
issue #1:
error message on start of VM:
error: internal error: Process exited prior to exec: libvirt: error : cannot limit locked memory to 18253611008: Operation not permitted
apparmor log:
kernel: [ 783.469784] type=1400 audit(139162086
issue #2:
error message on start of VM:
qemu-system-x86_64: -device vfio-pci,
qemu-system-x86_64: -device vfio-pci,
qemu-system-x86_64: -device vfio-pci,
qemu-system-x86_64: -device vfio-pci,
apparmor log:
kernel: [ 1209.299820] type=1400 audit(139162431
workaround:
sudo aa-complain /usr/sbin/libvirtd
sudo aa-complain /etc/apparmor.
testing with latest Trusty:
ii libvirt-bin 1.2.1-0ubuntu5 amd64 programs for the libvirt library
ii libvirt0 1.2.1-0ubuntu5 amd64 library for interfacing with different virtualization systems
tags: | added: trusty |
description: | updated |
summary: |
- apparmor denies RLIMIT_MEMLOCK increase needed for VFIO passthrough + apparmor denies VFIO passthrough: RLIMIT_MEMLOCK and /dev/vfio/XX |
description: | updated |
Changed in libvirt (Ubuntu Trusty): | |
importance: | Undecided → High |
status: | New → Confirmed |
Changed in libvirt (Ubuntu): | |
importance: | Medium → High |
tags: |
added: verification-done removed: verification-needed |
information type: | Public → Public Security |
information type: | Public Security → Public |
Thanks for reporting this bug. It is probably ok to give libvirtd itself the resource capability. However virt-aa-helper will need an update to add access to the appropriate /dev/vfio/* devices.