apparmor denied libvirt with TPM

Bug #1636216 reported by Nelson Chan on 2016-10-24
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Undecided
Unassigned

Bug Description

I use libvirt 2.1.0 from ubuntu 16.10 x64 to run a Windows 10 VM. The VM runs fine if I do not add a TPM device. If I add a TPM device to the VM, I get the following errors when I try to start the VM:

Connecting to monitor: 2016-10-24T14:03:37.178943Z qemu-system-x86_64: -tpmdev passthrough,id=tpm-tpm0,path=/dev/fdset/2,cancel-path=/dev/fdset/3: '/dev/fdset/2' is not a TPM device.

Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/asyncjob.py", line 90, in cb_wrapper
    callback(asyncjob, *args, **kwargs)
  File "/usr/share/virt-manager/virtManager/asyncjob.py", line 126, in tmpcb
    callback(*args, **kwargs)
  File "/usr/share/virt-manager/virtManager/libvirtobject.py", line 83, in newfn
    ret = fn(self, *args, **kwargs)
  File "/usr/share/virt-manager/virtManager/domain.py", line 1402, in startup
    self._backend.create()
  File "/usr/lib/python2.7/dist-packages/libvirt.py", line 1035, in create
    if ret == -1: raise libvirtError ('virDomainCreate() failed', dom=self)
libvirtError: internal error: process exited while connecting to monitor: 2016-10-24T14:03:37.178943Z qemu-system-x86_64: -tpmdev passthrough,id=tpm-tpm0,path=/dev/fdset/2,cancel-path=/dev/fdset/3: '/dev/fdset/2' is not a TPM device.

And in dmesg, it has some apparmor denied messages:

[ 2187.750789] audit: type=1400 audit(1477317876.064:97): apparmor="DENIED" operation="file_perm" profile="libvirt-c908a520-d74c-4557-a92e-da114eb49d65" name="/dev/tpm0" pid=8884 comm="qemu-system-x86" requested_mask="w" denied_mask="w" fsuid=122 ouid=122
[ 2187.750803] audit: type=1400 audit(1477317876.064:98): apparmor="DENIED" operation="file_perm" profile="libvirt-c908a520-d74c-4557-a92e-da114eb49d65" name="/dev/tpm0" pid=8884 comm="qemu-system-x86" requested_mask="w" denied_mask="w" fsuid=122 ouid=122

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers