Re: [libvirt PATCH] apparmor: Allow running /usr/libexec/qemu-kvm

Andrea Bolognani <abologna@xxxxxxxxxx> · Thu, 3 Nov 2022 04:18:17 -0700

On Thu, Nov 03, 2022 at 12:13:53PM +0100, Andrea Bolognani wrote:
> Distros that use AppArmor, such as Debian and Ubuntu, install
> QEMU under /usr/bin/qemu-system-*, and our AppArmor profile is
> written with that assumption in mind.
>
> If you try to run the RHEL or CentOS version of libvirt and
> QEMU inside a privileged container on such distros, however,
> that will result in an error, because the path
> /usr/libexec/qemu-kvm is used instead.
>
> In particular, this prevents upstream KubeVirt releases (which
> are based on CentOS) from running on Debian/Ubuntu nodes. See
>
>   https://github.com/kubevirt/kubevirt/pull/8692
>
> and the issues referenced therein for additional details.
>
> Signed-off-by: Andrea Bolognani <abologna@xxxxxxxxxx>
> ---
>  src/security/apparmor/usr.sbin.libvirtd.in  | 4 ++++
>  src/security/apparmor/usr.sbin.virtqemud.in | 4 ++++
>  2 files changed, 8 insertions(+)
>
[...]
>
> +  # Needed when running the RHEL/CentOS version of libvirt and QEMU
> +  # inside a privileged container on a Debian/Ubuntu host
> +  /usr/libexec/qemu-kvm PUx,

Jim and Christian,

can you please take a look and confirm that this is sane?

Thanks in advance!

-- 
Andrea Bolognani / Red Hat / Virtualization