[libvirt PATCH] apparmor: Allow running /usr/libexec/qemu-kvm

Andrea Bolognani <abologna@xxxxxxxxxx> · Thu, 3 Nov 2022 12:13:53 +0100

Distros that use AppArmor, such as Debian and Ubuntu, install
QEMU under /usr/bin/qemu-system-*, and our AppArmor profile is
written with that assumption in mind.

If you try to run the RHEL or CentOS version of libvirt and
QEMU inside a privileged container on such distros, however,
that will result in an error, because the path
/usr/libexec/qemu-kvm is used instead.

In particular, this prevents upstream KubeVirt releases (which
are based on CentOS) from running on Debian/Ubuntu nodes. See

  https://github.com/kubevirt/kubevirt/pull/8692

and the issues referenced therein for additional details.

Signed-off-by: Andrea Bolognani <abologna@xxxxxxxxxx>
---
 src/security/apparmor/usr.sbin.libvirtd.in  | 4 ++++
 src/security/apparmor/usr.sbin.virtqemud.in | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in
index 886f1ad518..2994de5ec9 100644
--- a/src/security/apparmor/usr.sbin.libvirtd.in
+++ b/src/security/apparmor/usr.sbin.libvirtd.in
@@ -99,6 +99,10 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
   # read and run an ebtables script.
   /var/lib/libvirt/virtd* ixr,
 
+  # Needed when running the RHEL/CentOS version of libvirt and QEMU
+  # inside a privileged container on a Debian/Ubuntu host
+  /usr/libexec/qemu-kvm PUx,
+
   # force the use of virt-aa-helper
   audit deny /{usr/,}sbin/apparmor_parser rwxl,
   audit deny /etc/apparmor.d/libvirt/** wxl,
diff --git a/src/security/apparmor/usr.sbin.virtqemud.in b/src/security/apparmor/usr.sbin.virtqemud.in
index 3de03d49fc..b3f33b9471 100644
--- a/src/security/apparmor/usr.sbin.virtqemud.in
+++ b/src/security/apparmor/usr.sbin.virtqemud.in
@@ -94,6 +94,10 @@ profile virtqemud @sbindir@/virtqemud flags=(attach_disconnected) {
   # read and run an ebtables script.
   /var/lib/libvirt/virtd* ixr,
 
+  # Needed when running the RHEL/CentOS version of libvirt and QEMU
+  # inside a privileged container on a Debian/Ubuntu host
+  /usr/libexec/qemu-kvm PUx,
+
   # force the use of virt-aa-helper
   audit deny /{usr/,}sbin/apparmor_parser rwxl,
   audit deny /etc/apparmor.d/libvirt/** wxl,
-- 
2.38.1







