An issue was recently reported[1] with running unprivileged VMs configured to use passt on Debian with AppArmor confinement enabled. After looking into the situation, I am convinced that AppArmor confinement never really worked for unprivileged VMs. The whole mechanism is built around the concept of per-VM profiles that are dynamically generated and registered, but doing so requires write access to /etc/apparmor.d/ and in general permissions that unprivileged libvirt will by design not have. Of course it's unfortunate that unprivileged VMs would be forced to miss out on the potential benefits of AppArmor isolation, and even more unfortunate that passt won't work out of the box for unprivileged VMs, since those are the ones where it makes the most sense to use passt in the first place. Stefano suggested introducing a generic "libvirt-user" profile that would be attached to unprivileged VMs and would be more liberal than the one used for privileged VMs, since we wouldn't be able to tailor it to the specifics of the VM, but would at least prevent the worst of the abuse; specifically, it would only allow R/W access to files in the current user's home directory. Does that sound like a reasonable direction? Any other ideas? In the meantime, Stefano has posted a workaround[2] that, when applied to passt's AppArmor profile, would allow these VMs to at least start. CC'ing people with AppArmor knowledge for awareness. [1] https://archives.passt.top/passt-dev/20250129104112.0756df5c@elisabeth/T/#u [2] https://archives.passt.top/passt-dev/20250205163101.3793658-1-sbrivio@xxxxxxxxxx/T/#u -- Andrea Bolognani / Red Hat / Virtualization
