QEMU 2.10 may require AppArmor updates for pflash devices
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libvirt (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
From: https:/
I've been testing w/ local QEMU builds on ARM64 and I've found that, starting at commit:
244a56681 file-posix: Add image locking to perm operations
My test case (attached to this bug) began to fail with:
error: Failed to start domain 7936-0
error: internal error: process exited while connecting to monitor:
2017-08-
file=/home/
Failed to unlock byte 100
2017-08-
file=/home/
Failed to unlock byte 100
2017-08-
file=/home/
Failed to lock byte 100
tags: | added: qemu-file-locking |
Thanks for spawning off that bug from the former discussion Dann!
I'd really like to see the associated dmesg for the expected apparmor denial to be confirmed.
Given your XML was able to check what we get generated (stripped down to the interesting bits). aa-helper --create --dryrun --uuid 'libvirt- bead65d7- c9ed-4cdc- 9a2c-953fbb59fa f8' < ~/Downloads/ 5531-0. xml ubuntu/ vm-start- stop/vms/ 5531-0. img" rwk, ubuntu/ vm-start- stop/vms/ 5531-0_ CODE.fd" r, ubuntu/ vm-start- stop/vms/ 5531-0_ CODE.fd" w, ubuntu/ vm-start- stop/vms/ 5531-0_ VARS.fd" rw,
$ ./src/virt-
"/home/
"/home/
# don't audit writes to readonly files
deny "/home/
"/home/
So we have an explicit readonly and the new code is trying a lock. ubuntu/ vm-start- stop/vms/ 5531-0_ CODE.fd" rk,
The deny is to have writes not fill up logs and deny silently.
Very likely we need (mind the k there):
"/home/
If you want you can try to tune "/etc/apparmor. d/libvirt/ libvirt- <uuid>" before the include to the .files (or in /etc/apparmor. d/abstractions/ libvirt- qemu for all guests) with rules to allow that if that unblocks you.
I'm not sure if locking requires write in the apparmor way of thinking.
In the worst case the explcit deny wil hide that - so consider removing it if you see nothing.
Looking forward to the dmesg to confirm