Re: [libvirt PATCH 1/1] apparmor: Allow umount(/dev)

Wednesday, 18 January 2023

On 1/18/23 10:43, Andrea Bolognani wrote:
...
 Commit 379c0ce4bfed introduced a call to umount(/dev) performed
 inside the namespace that we run QEMU in.

 As a result of this, on machines using AppArmor, VM startup now
 fails with

   internal error: Process exited prior to exec: libvirt:
   QEMU Driver error: failed to umount devfs on /dev: Permission denied

 The corresponding denial is

   AVC apparmor="DENIED" operation="umount"
profile="libvirtd"
       name="/dev/" pid=70036 comm="rpc-libvirtd"

 Extend the AppArmor configuration for virtqemud and libvirtd so
 that this operation is allowed.

 Signed-off-by: Andrea Bolognani <abologna(a)redhat.com&gt;
 ---
  src/security/apparmor/usr.sbin.libvirtd.in  | 1 +
  src/security/apparmor/usr.sbin.virtqemud.in | 1 +
  2 files changed, 2 insertions(+) 
Reviewed-by: Michal Privoznik <mprivozn(a)redhat.com&gt;

For more background on why umount is needed see my reply to Jim's
question from earlier:

https://listman.redhat.com/archives/libvir-list/2023-January/237149.html

Michal

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

Re: [libvirt PATCH 1/1] apparmor: Allow umount(/dev)