By debugging various bugs I've found several entries missing in the libvirt-qemu apparmor abstraction.
Those issues - now that they are understood - are taken out of the original bugs to focus on the remaining debugging there.
None of these are per Guest, so add to /etc/apparmor.d/abstractions/libvirt-qemu
The missing entries as identified are:
#1
For virtual functions the generic vfio interface
/etc/apparmor.d/abstractions/libvirt-qemu like:
# allow guest access to the generic base vfio interface (LP: #1678322)
/dev/vfio/vfio rw,
#2
Binaries for ppc64el based checks in the kvm wrapper script.
That wrapper extension about smt awareness was tested and works fine as-is, but not when driven via libvirt due to the profile restrictions.
#3
Qemu tries to read who killed it to report on shutdown
[ 518.615420] audit: type=1400 audit(1491467132.255:21): apparmor="DENIED" operation="open" profile="libvirt-88b15add-b290-431d-9e49-fa771588f2f5" name="/proc/7989/cmdline" pid=9531 comm="qemu-system-ppc" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
The following should be rather save
/proc/*/cmdline r,
That will make the <unkown process> in logs like the following more readable:
"qemu-system-ppc64: terminating on signal 15 from pid 10924 (<unknown process>)"
By debugging various bugs I've found several entries missing in the libvirt-qemu apparmor abstraction.
Those issues - now that they are understood - are taken out of the original bugs to focus on the remaining debugging there.
None of these are per Guest, so add to /etc/apparmor. d/abstractions/ libvirt- qemu
The missing entries as identified are: d/abstractions/ libvirt- qemu like:
#1
For virtual functions the generic vfio interface
/etc/apparmor.
# allow guest access to the generic base vfio interface (LP: #1678322)
/dev/vfio/vfio rw,
I checked with the security team and also according to https:/ /www.kernel. org/doc/ Documentation/ vfio.txt this base interface should be save to be allowed.
#2
Binaries for ppc64el based checks in the kvm wrapper script.
That wrapper extension about smt awareness was tested and works fine as-is, but not when driven via libvirt due to the profile restrictions.
apparmor="DENIED" operation="exec" profile= "libvirt- 88b15add- b290-431d- 9e49-fa771588f2 f5" name="/ usr/sbin/ ppc64_cpu" pid=9539 comm="kvm" requested_mask="x" denied_mask="x" fsuid=64055 ouid=0 "libvirt- 88b15add- b290-431d- 9e49-fa771588f2 f5" name="/bin/grep" pid=9541 comm="kvm" requested_mask="x" denied_mask="x" fsuid=64055 ouid=0
apparmor="DENIED" operation="exec" profile=
#3 2.255:21) : apparmor="DENIED" operation="open" profile= "libvirt- 88b15add- b290-431d- 9e49-fa771588f2 f5" name="/ proc/7989/ cmdline" pid=9531 comm="qemu- system- ppc" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
Qemu tries to read who killed it to report on shutdown
[ 518.615420] audit: type=1400 audit(149146713
The following should be rather save
/proc/*/cmdline r,
That will make the <unkown process> in logs like the following more readable:
"qemu-system-ppc64: terminating on signal 15 from pid 10924 (<unknown process>)"