Ubuntu
libvirt package

Apparmor /dev/net/tun overflow

Bug #2120278 reported by Vasyl Saienko
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)
Fix Released
Medium
Unassigned
Jammy
Fix Released
Undecided
Unassigned
Noble
Fix Released
Undecided
Hector CAO
Plucky
Fix Released
Undecided
Hector CAO
Questing
Fix Released
Medium
Unassigned

Bug Description

[ Impact ]

 * libvirt calls virt-aa-helper (with argument -F)
   to append a new rule to the apparmor profile of the VM.
   virt-aa-helper does not check for duplicate and blindly
   appends the rule to the profile. since there is no rule
   removal when a device is detached, this can make the
   profile grow in size and even hit the size limit

 * Backport the upstream patch that checks and does
   not add duplicates over and over again

[ Test Plan ]

Create a guest via libvirt/kvm, for example with uvtool

$ uvt-kvm create --password=ubuntu q2 arch=amd64 label=daily release=questing

Create a network device definition for libvirt in a file

$ cat net-add-test.xml
    <interface type='network'>
      <source network='default' bridge='virbr0'/>
      <target dev='vnet1'/>
      <model type='virtio'/>
      <alias name='net1'/>
    </interface>

Attach and detach that over and over like:

$ for i in $(seq 1 10); do virsh attach-device q2 net-add-test.xml; sleep 1; virsh detach-device q2 net-add-test.xml; done

Get the UUID of the guest

$ virsh dominfo q2 | grep UUID
UUID 33884b16-ff6e-4947-bd0d-ec8dedba0395

In the bad case, this will have many such entries
In the good case no further ones would have been added

$ grep dev.*tun libvirt-33884b16-ff6e-4947-bd0d-ec8dedba0395.files
  "/dev/net/tun" rwk,
  "/dev/net/tun" rwk,
  "/dev/net/tun" rwk,
  "/dev/net/tun" rwk,
  "/dev/net/tun" rwk,
  "/dev/net/tun" rwk,
  "/dev/net/tun" rwk,
  "/dev/net/tun" rwk,
  "/dev/net/tun" rwk,
  "/dev/net/tun" rwk,
  "/dev/net/tun" rwk,
  "/dev/net/tun" rwk,

[ Where problems could occur ]

 * The change is isolated to dynamic apparmor handling, so we talk about rules missed to be added in the worst case. Therefore we'd want to look out for new apparmor denials or generally apparmor related issues to be reported that were not present before.

[ Other Info ]

 * n/a

----

I'm using libvirt 10.0.0 libvirt from noble

```
root@vs-ps-czma3v4h7hzz-1-4gc232su7ouh-server-px5drx7avo4b:/# libvirtd --version
libvirtd (libvirt) 10.0.0
root@vs-ps-czma3v4h7hzz-1-4gc232su7ouh-server-px5drx7avo4b:/# dpkg -l |grep libvirt
ii libvirt-clients 10.0.0-2ubuntu8.8 amd64 Programs for the libvirt library
ii libvirt-daemon 10.0.0-2ubuntu8.8 amd64 Virtualization daemon
ii libvirt-daemon-config-network 10.0.0-2ubuntu8.8 all Libvirt daemon configuration files (default network)
ii libvirt-daemon-config-nwfilter 10.0.0-2ubuntu8.8 all Libvirt daemon configuration files (default network filters)
ii libvirt-daemon-driver-qemu 10.0.0-2ubuntu8.8 amd64 Virtualization daemon QEMU connection driver
ii libvirt-daemon-system 10.0.0-2ubuntu8.8 amd64 Libvirt daemon configuration files
ii libvirt-daemon-system-systemd 10.0.0-2ubuntu8.8 all Libvirt daemon configuration files (systemd)
ii libvirt0:amd64 10.0.0-2ubuntu8.8 amd64 library for interfacing with different virtualization systems
```

Libvirt configuration

```
root@vs-ps-czma3v4h7hzz-1-4gc232su7ouh-server-px5drx7avo4b:/# cat /etc/libvirt/qemu.conf

default_tls_x509_cert_dir = "/etc/pki/qemu"
default_tls_x509_verify = 1
group = "kvm"
security_driver = "apparmor"
stdio_handler = "logd"
user = "nova"
vnc_listen = "0.0.0.0"
vnc_tls = 1
vnc_tls_x509_verify = 1root@vs-ps-czma3v4h7hzz-1-4gc232su7ouh-server-px5drx7avo4b:/#
root@vs-ps-czma3v4h7hzz-1-4gc232su7ouh-server-px5drx7avo4b:/# cat /etc/libvirt/libvirtd.conf

auth_tcp = "none"
keepalive_count = 9
keepalive_interval = 10
listen_addr = "10.10.0.191"
listen_tcp = 0
listen_tls = 1
log_level = 3
log_outputs = "1:file:/var/log/libvirt/libvirtd.log"
root@vs-ps-czma3v4h7hzz-1-4gc232su7ouh-server-px5drx7avo4b:/# cat /etc/libvirt/libvirt.conf
#
# This can be used to setup URI aliases for frequently
# used connection URIs. Aliases may contain only the
# characters a-Z, 0-9, _, -.
#
# Following the '=' may be any valid libvirt connection
# URI, including arbitrary parameters

#uri_aliases = [
# "hail=qemu+ssh://<email address hidden>/system",
# "sleet=qemu+ssh://<email address hidden>/system",
#]

#
# These can be used in cases when no URI is supplied by the application
# (@uri_default also prevents probing of the hypervisor driver).
#
#uri_default = "qemu:///system"
```

Each time when NIC is added to VM, a new /dev/net/tun appears in /etc/apparmor.d/libvirt/libvirt-1157526e-4520-4fbf-8bd4-b606d37ad6b1.files
When interface is detach the /dev/net/tun is not removed.

There are two problems related to this
1. Even when all interface removed from domain, it has allowed rules for tun device (which it should not)
2. Overflow is possible when many attach/detach actions are executed file size may grow up to 10Mb limit and apparmor will refuse any other changes.

See original description

Related branches

~hectorcao/ubuntu/+source/libvirt:lp2120278-jammy
Lukas Märdian (community): Approve
git-ubuntu import: Pending requested
Diff: 89 lines (+67/-0)
3 files modified
debian/changelog (+7/-0)
debian/patches/series (+1/-0)
debian/patches/ubuntu-aa/lp2120278-virt-aa-helper-Avoid-duplicate-when-append-rule.patch (+59/-0)
~hectorcao/ubuntu/+source/libvirt:lp2120278-plucky
Christian Ehrhardt (community): Approve
git-ubuntu import: Pending requested
Diff: 89 lines (+67/-0)
3 files modified
debian/changelog (+7/-0)
debian/patches/series (+1/-0)
debian/patches/ubuntu-aa/lp2120278-virt-aa-helper-Avoid-duplicate-when-append-rule.patch (+59/-0)
~hectorcao/ubuntu/+source/libvirt:lp2120278-noble
Christian Ehrhardt (community): Approve
git-ubuntu import: Pending requested
Diff: 90 lines (+68/-0)
3 files modified
debian/changelog (+7/-0)
debian/patches/series (+1/-0)
debian/patches/ubuntu-aa/lp2120278-virt-aa-helper-Avoid-duplicate-when-append-rule.patch (+60/-0)
~hectorcao/ubuntu/+source/libvirt:lp2120278
Lukas Märdian (community): Approve
git-ubuntu import: Pending requested
Diff: 90 lines (+67/-0)
3 files modified
debian/changelog (+7/-0)
debian/patches/series (+1/-0)
debian/patches/ubuntu-aa/lp2120278-virt-aa-helper-Avoid-duplicate-when-append-rule.patch (+59/-0)
Revision history for this message
Christian Ehrhardt (paelzer) wrote :

Hi Vasyl,
Let me start with confirming - you are just right - this is a problem.
Although not an intense or common one.
It was discussed back then if leaving the tun interface available for those who had it before is a problem and it was not considered a big one.
But yeah, with enough add/remove it could get too much and break entirely.

The problem is that libvirt apparmor handling has two ways, the initial set which is converting the XML description into rules - that works fine. The later add/removal are just events and the removal usually does not carry much info, so it can be (depends on the case) hard to map it back to what to remove.
I have not checked that case, so it might be easy here (or not).

Sadly these efforts just do not fit well for quite a while, only the more breaking more common issues are tackled. This is somewhere in between, but I agree would be worth at least to check if it is one of the easier or more challenging cases.

I'm tagging this libvirt-apparmor-dev to be together with similar group of "this actually would need a major dev effort around libvirt/apparmor to be better" bugs.

Changed in libvirt (Ubuntu):
status: New → Confirmed
importance: Undecided → Low
Revision history for this message
Vasyl Saienko (vsaienko) wrote :

@paelzer thanks for confirming this issue. Since we do not remove entries from apparmor, maybe we should not add a new entry when it exists there? just a thought for potential fix.

Revision history for this message
Christian Ehrhardt (paelzer) wrote :

Since that was not considered a strictly needed to be blocked interface it is even added to the general profiles that are included already. There is no need to add it even once on the hot-add of the device.

  apparmor/usr.sbin.virtqemud.in:132: /dev/net/tun rw,
  apparmor/libvirt-qemu:26: /dev/net/tun rw,

So yes there could be some related cleanup for sure

Let me add some more for reproducing this

$ grep dev.*tun ../abstractions/libvirt-qemu
  /dev/net/tun rw,

Normal basic guest - in my case called q2 with the following uuid - right after start

$ grep dev.*tun libvirt-33884b16-ff6e-4947-bd0d-ec8dedba0395.files
  "/dev/net/tun" rwk,

Config for a second network dev to add

$ cat net-add-test.xml
    <interface type='network'>
      <source network='default' bridge='virbr0'/>
      <target dev='vnet1'/>
      <model type='virtio'/>
      <alias name='net1'/>
    </interface>

$ virsh attach-device q2 net-add-test.xml
Device attached successfully

$ grep dev.*tun libvirt-33884b16-ff6e-4947-bd0d-ec8dedba0395.files
  "/dev/net/tun" rwk,
  "/dev/net/tun" rwk,

$ for i in $(seq 1 10); do virsh attach-device q2 net-add-test.xml; virsh detach-device q2 net-add-test.xml; done
$ grep dev.*tun libvirt-33884b16-ff6e-4947-bd0d-ec8dedba0395.files
  "/dev/net/tun" rwk,
  "/dev/net/tun" rwk,
  "/dev/net/tun" rwk,
  "/dev/net/tun" rwk,
  "/dev/net/tun" rwk,
  "/dev/net/tun" rwk,
  "/dev/net/tun" rwk,
  "/dev/net/tun" rwk,
  "/dev/net/tun" rwk,
  "/dev/net/tun" rwk,
  "/dev/net/tun" rwk,
  "/dev/net/tun" rwk,

Changed in libvirt (Ubuntu):
importance: Low → Medium
Revision history for this message
Christian Ehrhardt (paelzer) wrote :

Next: check which of the flows through src/security/security_apparmor.c this takes [and where the labelling to /dev/net/tun comes from exactly] and come up with a suggestion how to block/filter duplicates.

Revision history for this message
Christian Ehrhardt (paelzer) wrote :

Hector will try to dive into all the abstractions and indirections to see where we can block this from happening. Since the base abstraction for libvirt-qemu has it, we do not even have to count and can just ignore it.

Changed in libvirt (Ubuntu):
assignee: nobody → Hector CAO (hectorcao)
Revision history for this message
Hector CAO (hectorcao) wrote :

I drop here the link to a libvirt's upstream bug on an other issue about the way we handle the dynamic apparmor rules for VM.
In the bug, Thiago gives a good explanation of what is going on and reading it can give us a better understanding on this LP issue:

https://gitlab.com/libvirt/libvirt/-/issues/692

Revision history for this message
Hector CAO (hectorcao) wrote (last edit ):

Issue statement
---

The issue is the owerflow of the VM's apparmor (AA) profile when libvirt keeps updating the profile when device is dynamically added at runtime without checking for duplicates.

Issue analysis
---

When a VM is created, libvirt creates an apparmor profile (/etc/apparmor.d/libvirt/libvirt-<uuid>) for the VM, this profile is composed of 2 parts:

- *common*: abstractions/libvirt-qemu : common to all VMs. This part can be modified outside of libvirt by editing the file
  /etc/apparmor.d/abstractions/libvirt-qemu.

- *VM-specific*: /etc/apparmor.d/libvirt/libvirt-<uuid>.files : generated at VM start based on the VM XML defintion and
  modified during VM runtime to add additional rules needed for the VM to function (typical use case is when
  we attach dynamically a device to the VM). This part is supposed to by modifiable ONLY by libvirt.

The overflow issue reported in this bug is related to the *VM-specific* part.

To modify the *VM-specific* part, libvirt uses the helper program: /usr/lib/libvirt/virt-aa-helper by providing the VM XML configuration via stdin.

As an example, when a network device is added into the VM (as reported in this bug), libvirt calls virt-aa-helper as follow:

 /usr/lib/libvirt/virt-aa-helper -r -u libvirt-<uuid> -F /dev/net/tun < <VM-XML>

-r : replace the current profile (this is because the VM is running and the profile already exists)
-u : the VM AA profile name
-F : append the rule to the profile
<VM-XML> : the VM XML definition is provided in stdin

 /usr/lib/libvirt/virt-aa-helper does not check if the AA entry already exists in the current profile and just adds the requested entry to the file, that is why, the AA profile might overflow after a bug number of similar operations.

Solution
----

The solution would be adding the duplicates verification to the virt-aa-helper when we want to append a new entry (called with -F argument).

This can be done in the function vah_add_file():

./src/security/virt-aa-helper.c
   vah_add_file()

Additional context
----

There an on-going submission by Georgia in the libvirt mailing list to tackle an other issue on this *VM-specific* AA profile management (https://gitlab.com/libvirt/libvirt/-/issues/692) : https://<email address hidden>/msg07705.html

The issue is the when we unplug a dynamically attached device from a VM, the VM looses all rules added for other dynamically attached devices.

Hector CAO (hectorcao)
Changed in libvirt (Ubuntu):
status: Confirmed → In Progress
Revision history for this message
Hector CAO (hectorcao) wrote :

Submission upstream : https://<email address hidden>/thread/2HIZC2EK72NBLMCNGT54XIVGJEGG7YNN/

Revision history for this message
Hector CAO (hectorcao) wrote :

PPA: https://launchpad.net/~hectorcao/+archive/ubuntu/lp2120278

Hector CAO (hectorcao)
Changed in libvirt (Ubuntu Questing):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libvirt - 11.6.0-1ubuntu2

---------------
libvirt (11.6.0-1ubuntu2) questing; urgency=medium

  [ Lukas Märdian ]
  * Default to qemu:///system libvirt URI (LP: #2027838)
    On Ubuntu we always want to initialize the URI to qemu:///system,
    regardless if running as privileged daemon or not. This keeps backward
    compatibility with Ubuntu's default behavior, while still allowing users
    more flexibility in changing that default, through config files or
    environment variables.
    - d/p/u/lp-2027838-conf-Default-to-qemu-system-libvirt-URI.patch
  * d/t/default-uri: add basic test for LIBVIRT_DEFAULT_URI handling
  * d/libvirt-clients.conffiles: Remove libvirt-uri.sh profile.d script
  * Drop Changes:
    - libvirt-uri.sh, d/rules: Automatically switch default libvirt URI
      for users via user profile (qemu:///system)

  [ Hector Cao ]
  * d/p/u-aa/lp2079869-* : virt-aa-helper: Avoid duplicate when append rule
    (LP: #2120278)

 -- Hector Cao <email address hidden> Wed, 27 Aug 2025 10:18:49 +0200

Changed in libvirt (Ubuntu Questing):
status: Fix Committed → Fix Released
Christian Ehrhardt (paelzer)
Changed in libvirt (Ubuntu Questing):
assignee: Hector CAO (hectorcao) → nobody
Hector CAO (hectorcao)
Changed in libvirt (Ubuntu Plucky):
assignee: nobody → Hector CAO (hectorcao)
Changed in libvirt (Ubuntu Noble):
assignee: nobody → Hector CAO (hectorcao)
Christian Ehrhardt (paelzer)
Changed in libvirt (Ubuntu Noble):
status: New → In Progress
Changed in libvirt (Ubuntu Plucky):
status: New → In Progress
Christian Ehrhardt (paelzer)
description: updated
Revision history for this message
Christian Ehrhardt (paelzer) wrote :

All uploaded to -unapproved and now waiting to be seen on SRU shift processing the queue.

Revision history for this message
Julian Andres Klode (juliank) wrote : Please test proposed package

Hello Vasyl, or anyone else affected,

Accepted libvirt into plucky-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/libvirt/11.0.0-2ubuntu6.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-plucky to verification-done-plucky. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-plucky. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in libvirt (Ubuntu Plucky):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-plucky
Changed in libvirt (Ubuntu Noble):
status: In Progress → Fix Committed
tags: added: verification-needed-noble
Revision history for this message
Julian Andres Klode (juliank) wrote :

Hello Vasyl, or anyone else affected,

Accepted libvirt into noble-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/libvirt/10.0.0-2ubuntu8.9 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-noble to verification-done-noble. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-noble. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Christian Ehrhardt (paelzer) wrote :
Download full text (21.3 KiB)

Before the fix - confirming the problem and the repro steps

Noble
root@n:~# uvt-simplestreams-libvirt --verbose sync --source http://cloud-images.ubuntu.com/daily arch=amd64 label=daily release=noble
Adding: com.ubuntu.cloud.daily:server:24.04:amd64 20250805
root@n:~# uvt-kvm create --password=ubuntu n arch=amd64 label=daily release=noble
Warning: using --password from the command line is not secure and should be used for debugging only.
Warning: '/root/.ssh/id_rsa.pub' not found; instance will be started with no ssh access by default.
root@n:~# vim net-add-test.xml
root@n:~# virsh dominfo n | grep UUID
UUID: 19f7aa87-fa92-4dc7-b061-19eadfbfc208
root@n:~# grep dev.*tun /etc/apparmor.d/libvirt/libvirt-19f7aa87-fa92-4dc7-b061-19eadfbfc208.files
  "/dev/net/tun" rwk,
root@n:~# for i in $(seq 1 10); do virsh attach-device n net-add-test.xml; sleep 1; virsh detach-device n net-add-test.xml; done
Device attached successfully

Device detached successfully

Device attached successfully

Device detached successfully

Device attached successfully

Device detached successfully

Device attached successfully

Device detached successfully

Device attached successfully

Device detached successfully

Device attached successfully

Device detached successfully

Device attached successfully

Device detached successfully

Device attached successfully

Device detached successfully

Device attached successfully

Device detached successfully

Device attached successfully

Device detached successfully

root@n:~# grep dev.*tun /etc/apparmor.d/libvirt/libvirt-19f7aa87-fa92-4dc7-b061-19eadfbfc208.files
  "/dev/net/tun" rwk,
  "/dev/net/tun" rwk,
  "/dev/net/tun" rwk,
  "/dev/net/tun" rwk,
  "/dev/net/tun" rwk,
  "/dev/net/tun" rwk,
  "/dev/net/tun" rwk,
  "/dev/net/tun" rwk,
  "/dev/net/tun" rwk,
  "/dev/net/tun" rwk,
  "/dev/net/tun" rwk,

Plucky
root@p:~# uvt-simplestreams-libvirt --verbose sync --source http://cloud-images.ubuntu.com/daily arch=amd64 label=daily release=noble
Adding: com.ubuntu.cloud.daily:server:24.04:amd64 20250805
root@p:~# uvt-kvm create --password=ubuntu n arch=amd64 label=daily release=noble
Warning: using --password from the command line is not secure and should be used for debugging only.
Warning: '/root/.ssh/id_rsa.pub' not found; instance will be started with no ssh access by default.
root@p:~# virsh dominfo n | grep UUID
UUID: c04f9744-3cac-4a60-86fd-1bb3b382e99e
root@p:~# grep dev.*tun /etc/apparmor.d/libvirt/libvirt-c04f9744-3cac-4a60-86fd-1bb3b382e99e.files
  "/dev/net/tun" rwk,
root@p:~# for i in $(seq 1 10); do virsh attach-device n net-add-test.xml; sleep 1; virsh detach-device n net-add-test.xml; done
Device attached successfully

Device detached successfully

Device attached successfully

Device detached successfully

Device attached successfully

Device detached successfully

Device attached successfully

Device detached successfully

Device attached successfully

Device detached successfully

Device attached successfully

Device detached successfully

Device attached successfully

Device detached successfully

Device attached successfully

Device detached successfully

Device attached successfully

Dev...

tags: added: verification-done verification-done-noble verification-done-plucky
removed: verification-needed verification-needed-noble verification-needed-plucky
Revision history for this message
Pavlo Shchelokovskyy (pshchelo) wrote :

I have tried this patch in the same setup the Vasyl, original reporter, found this (we work together).

I can confirm that this new libvirt package solves the issue with ballooning apparmor profile file size, the /dev/net/tun is no longer written to apparmor profile on every nic attach.

Thanks a lot for a speedy fix! Waiting for it to land in noble-updates.

I will try to run some of our functional tests to catch potential regressions too (basically OpenStack Tempest smoke test set in our case).

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libvirt - 11.0.0-2ubuntu6.3

---------------
libvirt (11.0.0-2ubuntu6.3) plucky; urgency=medium

  [ Lukas Märdian ]
  * d/p/u/lp-2117467-virdevmapper-device-name-for-targets.patch:
    virdevmapper: Always use device name for finding targets. This ensures
    that all the target devices of a multipath device are added to the
    namespace/cgroup of the guest domain.
    Closes LP: #2117467.

  [ Hector Cao ]
  * d/p/u-aa/lp2079869-* : virt-aa-helper: Avoid duplicate when append rule
    (LP: #2120278)

 -- Hector Cao <email address hidden> Wed, 17 Sep 2025 01:13:17 +0200

Changed in libvirt (Ubuntu Plucky):
status: Fix Committed → Fix Released
Revision history for this message
Julian Andres Klode (juliank) wrote : Update Released

The verification of the Stable Release Update for libvirt has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libvirt - 10.0.0-2ubuntu8.9

---------------
libvirt (10.0.0-2ubuntu8.9) noble; urgency=medium

  [ Bhavin Gandhi ]
  * d/p/u/lp-2117467-virdevmapper-device-name-for-targets.patch:
    virdevmapper: Always use device name for finding targets. This ensures
    that all the target devices of a multipath device are added to the
    namespace/cgroup of the guest domain.
    Closes LP: #2117467.

  [ Hector Cao ]
  * d/p/u-aa/lp2079869-* : virt-aa-helper: Avoid duplicate when append rule
    (LP: #2120278)

 -- Hector Cao <email address hidden> Wed, 17 Sep 2025 01:20:45 +0200

Changed in libvirt (Ubuntu Noble):
status: Fix Committed → Fix Released
Lukas Märdian (slyon)
Changed in libvirt (Ubuntu Jammy):
status: New → In Progress
Revision history for this message
Nick Rosbrook (enr0n) wrote : Please test proposed package

Hello Vasyl, or anyone else affected,

Accepted libvirt into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/libvirt/8.0.0-1ubuntu7.14 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in libvirt (Ubuntu Jammy):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-jammy
removed: verification-done
Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (libvirt/8.0.0-1ubuntu7.14)

All autopkgtests for the newly accepted libvirt (8.0.0-1ubuntu7.14) for jammy have finished running.
The following regressions have been reported in tests triggered by the package:

apparmor/3.0.4-2ubuntu2.4 (arm64)
ceilometer/2:18.1.0-0ubuntu1 (arm64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/jammy/update_excuses.html#libvirt

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message
Hector CAO (hectorcao) wrote :

I successfully verified the fix on Jammy

$ sudo apt install -y libvirt-daemon
....

$ apt policy libvirt-daemon
libvirt-daemon:
  Installed: 8.0.0-1ubuntu7.14
  Candidate: 8.0.0-1ubuntu7.14
  Version table:
 *** 8.0.0-1ubuntu7.14 500
        500 http://archive.ubuntu.com/ubuntu jammy-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     8.0.0-1ubuntu7.13 500
        500 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages

I run several times this command for an existing libvirt VM:

$ sudo /usr/lib/libvirt/virt-aa-helper -r -u libvirt-c5e1bd37-b39a-46de-a085-9651ea1b6077 -F /dev/fuse < vm.xml

And the AA profile only contains one occurance of of /dev/fuse:

$ cat /etc/apparmor.d/libvirt/libvirt-c5e1bd37-b39a-46de-a085-9651ea1b6077.files

# DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.
  "/var/log/libvirt/**/tdvirsh-regular_vm-c5e1bd37-b39a-46de-a085-9651ea1b6077.log" w,
  "/var/lib/libvirt/qemu/domain-tdvirsh-regular_vm-c5e1bd37-b39a-46de-a085-9651ea1b6077/monitor.sock" rw,
  "/var/lib/libvirt/qemu/domain-1-tdvirsh-regular_vm-c/*" rw,
  "/run/libvirt/**/tdvirsh-regular_vm-c5e1bd37-b39a-46de-a085-9651ea1b6077.pid" rwk,
  "/run/libvirt/**/*.tunnelmigrate.dest.tdvirsh-regular_vm-c5e1bd37-b39a-46de-a085-9651ea1b6077" rw,
  "/usr/share/ovmf/OVMF.fd" rk,
  # don't audit writes to readonly files
  deny "/usr/share/ovmf/OVMF.fd" w,
  "/dev/net/tun" rwk,
  "/dev/net/tun" rwk,
  "/dev/fuse" rwk,

tags: added: verification-done verification-done-jammy
removed: verification-needed verification-needed-jammy
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libvirt - 8.0.0-1ubuntu7.14

---------------
libvirt (8.0.0-1ubuntu7.14) jammy; urgency=medium

  * d/p/u-aa/lp2120278-* : virt-aa-helper: Avoid duplicate when append rule
    (LP: #2120278)

 -- Hector Cao <email address hidden> Tue, 14 Oct 2025 22:38:25 +0000

Changed in libvirt (Ubuntu Jammy):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.