Control: severity -1 important On Wed, Sep 11, 2024 at 02:21:07PM +0200, intrigeri wrote: > If libvirt-daemon-driver-lxc is not installed, libvirtd logs this on startup: > > libvirtd[2085]: internal error: template > '/etc/apparmor.d/libvirt/TEMPLATE.lxc' does not exist > > … and then apparently the logic to generate AppArmor profiles for QEMU VMs and > enforce them is disabled. That was not obvious to me: I thought "OK, I don't > have the LXC driver installed, so sure that file is missing, it's fine" and > did > not guess this would break a previously working security feature.
Thanks for the report. This is definitely *not* expected and *not* acceptable. AppArmor confinement for QEMU domains should work regardless of whether or not an unrelated hypervisor driver is installed. I'll look into it. I'm fairly sure it will require an upstream fix. > I'm under the impression that this breakage happened recently, because just > a few weeks ago I had AppArmor denials break stuff for 1 of my VMs, so it must > have been working back then. There was a pretty massive package restructuring landing recently in unstable with 10.7.0-1, after having marinated for some time in experimental. So that would be the cause. -- Andrea Bolognani <e...@kiyuko.org> Resistance is futile, you will be garbage collected.
signature.asc
Description: PGP signature
