more apparmor denials for opengl usage
Bug #1815452 reported by
Christian Ehrhardt
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libvirt (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
In bug 1804766 we tracked enabing more opengl features - that included enabling it as well as some virt-aa-helper code that adds rendernodes if needed.
As expected different use cases of opengl expose more apparmor denied. lets track fix and upstream those.
I'm planning to also use mdev passthrough, but that will be another bug.
Testcase for now will be
1. download an ubuntu desktop image
2. install that iso to a new guest with virt manager
3. shut down guest
4. enable opengl (need to set spice port to local as well)
x. iterate issues until the guest is running
y. ensure the graphical UI is usable on the gl enabled spice port
Changed in libvirt (Ubuntu): | |
status: | New → Triaged |
description: | updated |
To post a comment you must log in.
Denies/log entries and their related solution:
XML snippet generated:
<graphics type='spice'>
<listen type='none'/>
<image compression='off'/>
<gl enable='yes'/>
</graphics>
(no rendernode set and no other gl reference got added).
Generated profile (did gl detection trigger?):
Has no references to rendernodes that should be added by virt-aa-helper
guest log fails as almost expected: 11T14:39: 27.034392Z qemu-system-x86_64: Failed to initialize EGL render node for SPICE GL
2019-02-
Log: 7.029:150) : apparmor="DENIED" operation="open" profile= "libvirt- 2f6bde7c- 1d3d-498a- b96c-8920f165fa 4c" name="/ dev/dri/ renderD128" pid=12606 comm="qemu- system- x86" requested_mask="wr" denied_mask="wr" fsuid=108 ouid=108
[ 5585.656039] audit: type=1400 audit(154989596