Comment 3 for bug 1988270

Focal:
- apparmor 2.13.3-7ubuntu5.1
- kernel 5.4.0-109-generic
- libvirt:
  a) base 6.0.0-0ubuntu8.16
  b) server-backport 8.0.0-1ubuntu7.2~backport20.04.202210042317~ubuntu20.04.1
  c) UCA Yoga 8.0.0-1ubuntu7.1~cloud0

With none did a restart trigger an issue as reported.
libvirtd is reported to be in enforce mode by aa-status

Something must be different on the affected systems, any idea what it might be?

But also bpf is not present in that file for any of those versions.
For me this is always empty:
  $ grep bpf /etc/apparmor.d/usr.sbin.libvirtd

The reason is (and that explains why it felt known to me) that I have resolved that in march.
 https://git.launchpad.net/~canonical-server/ubuntu/+source/libvirt/commit/?h=backport-libvirt-focal&id=21eb63454433d7b2c2b75f197b7064c96cf7d1e8

Since it is a conffile it might not be updated on upgrades, so I have checked that.
Server backports was fine as expected.

Yoga is indeed still having bpf when purging and re-installing (to force the default conffile in the pachage).

And then I can see it:
Oct 05 16:27:58 f apparmor.systemd[48796]: AppArmor parser error for /etc/apparmor.d/usr.sbin.libvirtd in /etc/apparmor.d/usr.sbin.libvirtd at line 29: Invalid capability bpf.

Oct 05 16:27:58 f apparmor.systemd[48720]: Error: At least one profile failed to load
Oct 05 16:27:58 f systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE
Oct 05 16:27:58 f systemd[1]: apparmor.service: Failed with result 'exit-code'.
Oct 05 16:27:58 f systemd[1]: Failed to start Load AppArmor profiles.

And indeed it is missing here:
https://git.launchpad.net/~ubuntu-cloud-archive/ubuntu/+source/ca-patches/tree/yoga/libvirt.patch

So UCA needs to pick up the patch I referenced above.