On 1/18/23 03:45, Andrea Bolognani wrote:
On Wed, Jan 18, 2023 at 11:00:33AM +0100, Michal Prívozník wrote:
On 1/18/23 10:43, Andrea Bolognani wrote:
Commit 379c0ce4bfed introduced a call to umount(/dev) performed
inside the namespace that we run QEMU in.
As a result of this, on machines using AppArmor, VM startup now
fails with
internal error: Process exited prior to exec: libvirt:
QEMU Driver error: failed to umount devfs on /dev: Permission denied
The corresponding denial is
AVC apparmor="DENIED" operation="umount" profile="libvirtd"
name="/dev/" pid=70036 comm="rpc-libvirtd"
Extend the AppArmor configuration for virtqemud and libvirtd so
that this operation is allowed.
Signed-off-by: Andrea Bolognani <abologna@xxxxxxxxxx>
---
src/security/apparmor/usr.sbin.libvirtd.in | 1 +
src/security/apparmor/usr.sbin.virtqemud.in | 1 +
2 files changed, 2 insertions(+)
Reviewed-by: Michal Privoznik <mprivozn@xxxxxxxxxx>
For more background on why umount is needed see my reply to Jim's
question from earlier:
https://listman.redhat.com/archives/libvir-list/2023-January/237149.html
Welp, missed that one O:-)
Jim, it looks like you came up with exactly the same solution as
me, despite concerns about the size of the resulting hammer. Any
other ideas, or should we just go ahead and merge this as-is?
My apparmor skills are too weak to select a smaller tool, so I'd say merge
as-is. It wasn't clear to me if/why the umount of /dev was actually needed, but
Michal did an excellent job of describing why it is.
Regards,
Jim