[Touch-packages] [Bug 1895967] Re: 3.0.0~beta1-0ubuntu1 in Groovy breaks Libvirt/Qemu/KVM

[Christian Ehrhardt ]

Yeah and the comment above this function pointed the right way:

Good case (libvirt is enforced):
oot@testkvm-groovy-to:~# aa-status 
apparmor module is loaded.
31 profiles are loaded.
31 profiles are in enforce mode.
   /snap/snapd/9279/usr/lib/snapd/snap-confine
   /snap/snapd/9279/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /usr/bin/man
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/NetworkManager/nm-dhcp-helper
   /usr/lib/connman/scripts/dhclient-script
   /usr/lib/snapd/snap-confine
   /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /{,usr/}sbin/dhclient
   libvirtd
   libvirtd//qemu_bridge_helper
   lsb_release
   man_filter
   man_groff
   nvidia_modprobe
   nvidia_modprobe//kmod
   snap-update-ns.lxd
   snap.lxd.activate
   snap.lxd.benchmark
   snap.lxd.buginfo
   snap.lxd.check-kernel
   snap.lxd.daemon
   snap.lxd.hook.configure
   snap.lxd.hook.install
   snap.lxd.hook.remove
   snap.lxd.lxc
   snap.lxd.lxc-to-lxd
   snap.lxd.lxd
   snap.lxd.migrate
   tcpdump
   virt-aa-helper
0 profiles are in complain mode.
0 profiles are in kill mode.
0 profiles are in unconfined mode.
1 processes have profiles defined.
1 processes are in enforce mode.
   /usr/sbin/libvirtd (14751) libvirtd
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
0 processes are in kill mode.


Bad case libvirt (and plenty of other things) are not confined:
# aa-status 
apparmor module is loaded.
15 profiles are loaded.
15 profiles are in enforce mode.
   /snap/snapd/9279/usr/lib/snapd/snap-confine
   /snap/snapd/9279/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   snap-update-ns.lxd
   snap.lxd.activate
   snap.lxd.benchmark
   snap.lxd.buginfo
   snap.lxd.check-kernel
   snap.lxd.daemon
   snap.lxd.hook.configure
   snap.lxd.hook.install
   snap.lxd.hook.remove
   snap.lxd.lxc
   snap.lxd.lxc-to-lxd
   snap.lxd.lxd
   snap.lxd.migrate
0 profiles are in complain mode.
0 profiles are in kill mode.
0 profiles are in unconfined mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
0 processes are in kill mode.


As if only snap profiles are loaded.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1895967

Title:
  3.0.0~beta1-0ubuntu1 in Groovy breaks Libvirt/Qemu/KVM

Status in apparmor package in Ubuntu:
  Incomplete

Bug description:
  Hi,
  I stumbled over this due to automatic tests checking proposed.
  I found that Focal no more could migrate to Groovy with:

  $ virsh migrate --unsafe --live fguest qemu+ssh://10.162.30.163/system
  error: unsupported configuration: Security driver model 'apparmor' is not 
available

  I looked after it and found that while all former releases detected
  apparmor correctly:

  $ virsh capabilities | grep -C 3 secmodel
      <cache>
        <bank id='0' level='3' type='both' size='15' unit='MiB' cpus='0-11'/>
      </cache>
      <secmodel>
        <model>apparmor</model>
        <doi>0</doi>
      </secmodel>
      <secmodel>
        <model>dac</model>
        <doi>0</doi>
        <baselabel type='kvm'>+64055:+108</baselabel>
        <baselabel type='qemu'>+64055:+108</baselabel>
      </secmodel>

  Now on groovy that didn't work anymore:

      <secmodel>
        <model>none</model>
        <doi>0</doi>
      </secmodel>
      <secmodel>
        <model>dac</model>
        <doi>0</doi>
        <baselabel type='kvm'>+64055:+108</baselabel>
        <baselabel type='qemu'>+64055:+108</baselabel>
      </secmodel>

  Since 3.0 is only in proposed:
  # apt-cache policy apparmor
  apparmor:
    Installed: 2.13.3-7ubuntu6
    Candidate: 3.0.0~beta1-0ubuntu1
    Version table:
       3.0.0~beta1-0ubuntu1 500
          500 http://archive.ubuntu.com/ubuntu groovy-proposed/main amd64 
Packages
   *** 2.13.3-7ubuntu6 500
          500 http://archive.ubuntu.com/ubuntu groovy/main amd64 Packages
          100 /var/lib/dpkg/status
  I installed the former version.

  
  $ apt install apparmor=2.13.3-7ubuntu6
  $ rm /var/cache/libvirt/qemu/capabilities/*
  $ systemctl restart libvirtd

  And it works again.

  Interestingly going back to 3.0 then works and keeps working.
  Therefore maybe it is a red-herring and I'll consider it incomplete & low 
prio for now until I know more (allowing others that might see the same to find 
this bug and chime in).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1895967/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp