Based on 1815452, specifically the PPA from in Comment #17.
First, trying gives me these apparmor denied entries (complete log in default_PPA_denies.log):
Feb 27 09:32:18 desktop audit[14553]: AVC apparmor="DENIED" operation="open" profile="libvirt-26480e4e-9d51-476e-b329-657b2012c151" name="/sys/devices/pci0000:00/0000:00:03.1/0000:1c:00.0/uevent" pid=14553 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
Feb 27 09:32:18 desktop kernel: audit: type=1400 audit(1551288738.289:191): apparmor="DENIED" operation="open" profile="libvirt-26480e4e-9d51-476e-b329-657b2012c151" name="/sys/devices/pci0000:00/0000:00:03.1/0000:1c:00.0/uevent" pid=14553 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
Feb 27 09:32:18 desktop audit[14553]: AVC apparmor="DENIED" operation="open" profile="libvirt-26480e4e-9d51-476e-b329-657b2012c151" name="/proc/modules" pid=14553 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
Feb 27 09:32:18 desktop audit[14553]: AVC apparmor="DENIED" operation="open" profile="libvirt-26480e4e-9d51-476e-b329-657b2012c151" name="/sys/bus/pci/devices/" pid=14553 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
Feb 27 09:32:18 desktop kernel: audit: type=1400 audit(1551288738.429:192): apparmor="DENIED" operation="open" profile="libvirt-26480e4e-9d51-476e-b329-657b2012c151" name="/proc/modules" pid=14553 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
Feb 27 09:32:18 desktop kernel: audit: type=1400 audit(1551288738.429:193): apparmor="DENIED" operation="open" profile="libvirt-26480e4e-9d51-476e-b329-657b2012c151" name="/sys/bus/pci/devices/" pid=14553 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
Feb 27 09:32:18 desktop audit[14553]: AVC apparmor="DENIED" operation="open" profile="libvirt-26480e4e-9d51-476e-b329-657b2012c151" name="/usr/share/egl/egl_external_platform.d/" pid=14553 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
Feb 27 09:32:18 desktop audit[14553]: AVC apparmor="DENIED" operation="open" profile="libvirt-26480e4e-9d51-476e-b329-657b2012c151" name="/sys/devices/pci0000:00/0000:00:03.1/0000:1c:00.0/uevent" pid=14553 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
Feb 27 09:32:18 desktop kernel: audit: type=1400 audit(1551288738.509:194): apparmor="DENIED" operation="open" profile="libvirt-26480e4e-9d51-476e-b329-657b2012c151" name="/usr/share/egl/egl_external_platform.d/" pid=14553 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
Feb 27 09:32:18 desktop kernel: audit: type=1400 audit(1551288738.509:195): apparmor="DENIED" operation="open" profile="libvirt-26480e4e-9d51-476e-b329-657b2012c151" name="/sys/devices/pci0000:00/0000:00:03.1/0000:1c:00.0/uevent" pid=14553 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
Worked around them (or so I think) by adding to local/abstractions/libvirt-qemu:
/proc/modules r,
/proc/driver/nvidia/ r,
/proc/driver/nvidia/** r,
/usr/share/egl/ r,
/usr/share/egl/** r,
/sys/devices/** r,
/sys/devices/ r,
/dev/nvidiactl rw,
This doesn't give anymore AppArmor denials, but fails to run and shows the following error (full log in my_attempted_workaround.log):
Feb 27 09:40:16 desktop libvirtd[1468]: Unable to read from monitor: Connection reset by peer
Feb 27 09:40:16 desktop libvirtd[1468]: internal error: qemu unexpectedly closed the monitor: qemu-system-x86_64: ../src/gallium/drivers/llvmpipe/lp_texture.c:499: llvmpipe_resource_get_handle: Assertion `lpr->dt' failed.
Other relevant bits:
I'm using the nvidia 415 driver from the graphics-driver ppa.
Thanks a lot Brian!
The denies for /sys/devices will be covered by my recent upstream commit which is a bit less "open" :-)
This is stuff we really need to add: share/egl/ egl_external_ platform. d/ r, share/egl/ egl_external_ platform. d/** r,
/usr/
/usr/
/proc/modules r,
Less open than you suggested but should work, I recently added upstream: glvnd/egl_ vendor. d/{,*} r,
/etc/
which together with the rule above should be fine.
Note, all that is only done if GL is enabled which makes it rather secure to not open it up in general.
The following rules you added in your test, but I haven't seen the apparmor DENIED examples in any of the logs. driver/ nvidia/ r, driver/ nvidia/ ** r,
Would you mind running it without those rules and provide those deny example logs for:
/proc/
/proc/
/dev/nvidiactl rw,
Once I have that I can push a change online extending what I did for i915 with what you identified.
Once we have that I can do an upload to Disco with all of it and we can give it a retry with all the platforms that we have.