Ubuntu
libvirt package

virt-manager fails to show virtual console: internal error: unable to execute QEMU command 'getfd': No file descriptor supplied via SCM_RIGHTS

Bug #1833040 reported by Didier Roche-Tolomelli on 2019-06-17

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	libvirt (Ubuntu)	Fix Released	Medium	Christian Ehrhardt 

Bug Description

This bug is similar to https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1747442, but since latest libvirt 5.4.0-0ubuntu1 hit Eoan, it reappaerred.

It seems a new syscall is made by this version of libvirt, with the apparmor profile denying it:
juin 17 09:56:35 casanier audit[21675]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="libvirt-257f9611-e750-4683-902a-79c3c45b66a9" pid=21675 comm="apparmor_parser"
juin 17 09:56:35 casanier audit[21694]: AVC apparmor="DENIED" operation="file_receive" profile="libvirt-257f9611-e750-4683-902a-79c3c45b66a9" pid=21694 comm="qemu-system-x86" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="libvirtd"
juin 17 09:56:35 casanier libvirtd[1137]: internal error: unable to execute QEMU command 'getfd': No file descriptor supplied via SCM_RIGHTS
juin 17 09:56:35 casanier audit[21694]: AVC apparmor="DENIED" operation="file_receive" profile="libvirt-257f9611-e750-4683-902a-79c3c45b66a9" pid=21694 comm="qemu-system-x86" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="libvirtd"
juin 17 09:56:35 casanier libvirtd[1137]: internal error: unable to execute QEMU command 'getfd': No file descriptor supplied via SCM_RIGHTS
juin 17 09:56:35 casanier audit[21694]: AVC apparmor="DENIED" operation="file_receive" profile="libvirt-257f9611-e750-4683-902a-79c3c45b66a9" pid=21694 comm="qemu-system-x86" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="libvirtd"
juin 17 09:56:35 casanier libvirtd[1137]: internal error: unable to execute QEMU command 'getfd': No file descriptor supplied via SCM_RIGHTS

Thus, the apparmor profile needs to be updated so that a VM can start showing its console in virt-manager for instance.

ProblemType: Bug
DistroRelease: Ubuntu 19.10
Package: libvirt0 5.4.0-0ubuntu1
ProcVersionSignature: Ubuntu 5.0.0-16.17-generic 5.0.8
Uname: Linux 5.0.0-16-generic x86_64
NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair nvidia_modeset nvidia
ApportVersion: 2.20.11-0ubuntu3
Architecture: amd64
CurrentDesktop: ubuntu:GNOME
Date: Mon Jun 17 09:58:35 2019
InstallationDate: Installed on 2018-05-24 (388 days ago)
InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180426)
SourcePackage: libvirt
UpgradeStatus: Upgraded to eoan on 2019-01-08 (159 days ago)
modified.conffile..etc.libvirt.nwfilter.allow-arp.xml: [inaccessible: [Errno 13] Permission non accordée: '/etc/libvirt/nwfilter/allow-arp.xml']
modified.conffile..etc.libvirt.nwfilter.allow-dhcp-server.xml: [inaccessible: [Errno 13] Permission non accordée: '/etc/libvirt/nwfilter/allow-dhcp-server.xml']
modified.conffile..etc.libvirt.nwfilter.allow-dhcp.xml: [inaccessible: [Errno 13] Permission non accordée: '/etc/libvirt/nwfilter/allow-dhcp.xml']
modified.conffile..etc.libvirt.nwfilter.allow-incoming-ipv4.xml: [inaccessible: [Errno 13] Permission non accordée: '/etc/libvirt/nwfilter/allow-incoming-ipv4.xml']
modified.conffile..etc.libvirt.nwfilter.allow-ipv4.xml: [inaccessible: [Errno 13] Permission non accordée: '/etc/libvirt/nwfilter/allow-ipv4.xml']
modified.conffile..etc.libvirt.nwfilter.clean-traffic-gateway.xml: [inaccessible: [Errno 13] Permission non accordée: '/etc/libvirt/nwfilter/clean-traffic-gateway.xml']
modified.conffile..etc.libvirt.nwfilter.clean-traffic.xml: [inaccessible: [Errno 13] Permission non accordée: '/etc/libvirt/nwfilter/clean-traffic.xml']
modified.conffile..etc.libvirt.nwfilter.no-arp-ip-spoofing.xml: [inaccessible: [Errno 13] Permission non accordée: '/etc/libvirt/nwfilter/no-arp-ip-spoofing.xml']
modified.conffile..etc.libvirt.nwfilter.no-arp-mac-spoofing.xml: [inaccessible: [Errno 13] Permission non accordée: '/etc/libvirt/nwfilter/no-arp-mac-spoofing.xml']
modified.conffile..etc.libvirt.nwfilter.no-arp-spoofing.xml: [inaccessible: [Errno 13] Permission non accordée: '/etc/libvirt/nwfilter/no-arp-spoofing.xml']
modified.conffile..etc.libvirt.nwfilter.no-ip-multicast.xml: [inaccessible: [Errno 13] Permission non accordée: '/etc/libvirt/nwfilter/no-ip-multicast.xml']
modified.conffile..etc.libvirt.nwfilter.no-ip-spoofing.xml: [inaccessible: [Errno 13] Permission non accordée: '/etc/libvirt/nwfilter/no-ip-spoofing.xml']
modified.conffile..etc.libvirt.nwfilter.no-mac-broadcast.xml: [inaccessible: [Errno 13] Permission non accordée: '/etc/libvirt/nwfilter/no-mac-broadcast.xml']
modified.conffile..etc.libvirt.nwfilter.no-mac-spoofing.xml: [inaccessible: [Errno 13] Permission non accordée: '/etc/libvirt/nwfilter/no-mac-spoofing.xml']
modified.conffile..etc.libvirt.nwfilter.no-other-l2-traffic.xml: [inaccessible: [Errno 13] Permission non accordée: '/etc/libvirt/nwfilter/no-other-l2-traffic.xml']
modified.conffile..etc.libvirt.nwfilter.no-other-rarp-traffic.xml: [inaccessible: [Errno 13] Permission non accordée: '/etc/libvirt/nwfilter/no-other-rarp-traffic.xml']
modified.conffile..etc.libvirt.nwfilter.qemu-announce-self-rarp.xml: [inaccessible: [Errno 13] Permission non accordée: '/etc/libvirt/nwfilter/qemu-announce-self-rarp.xml']
modified.conffile..etc.libvirt.nwfilter.qemu-announce-self.xml: [inaccessible: [Errno 13] Permission non accordée: '/etc/libvirt/nwfilter/qemu-announce-self.xml']
modified.conffile..etc.libvirt.qemu.conf: [inaccessible: [Errno 13] Permission non accordée: '/etc/libvirt/qemu.conf']
modified.conffile..etc.libvirt.qemu.networks.default.xml: [inaccessible: [Errno 13] Permission non accordée: '/etc/libvirt/qemu/networks/default.xml']

Tags:

Related branches

~libvirt-maintainers/ubuntu/+source/libvirt:ubuntu/eoan-5.4

Merged into ~libvirt-maintainers/ubuntu/+source/libvirt:debian/experimental at revision 4055496c14a8447b2955a9618e20a864b98e6d0d

Canonical Server: Pending requested 2019-06-07

Rafael David Tinoco: Pending requested 2019-06-07

Canonical Server Core Reviewers: Pending requested 2019-06-07

Diff: 1611948 lines (+362057/-268450)

453 files modified

AUTHORS (+3/-0)
Makefile.am (+4/-2)
Makefile.ci (+70/-21)
Makefile.in (+16/-239)
NEWS (+45/-0)
cfg.mk (+0/-2)
config.h.in (+5/-12)
configure (+184/-188)
configure.ac (+1/-14)
debian/changelog (+6554/-35)
debian/control (+15/-11)
debian/libvirt-clients.install (+1/-0)
debian/libvirt-daemon-system.dirs (+3/-0)
debian/libvirt-daemon-system.install (+1/-2)
debian/libvirt-daemon-system.maintscript (+3/-0)
debian/libvirt-daemon-system.postinst (+128/-0)
debian/libvirt-daemon-system.postrm (+26/-4)
debian/libvirt-daemon.README.Debian (+82/-22)
debian/libvirt-daemon.apport (+22/-0)
debian/libvirt-daemon.dnsmasq (+2/-0)
debian/libvirt-daemon.install (+1/-0)
debian/libvirt-uri.sh (+27/-0)
debian/libvirt0.symbols (+3/-2)
debian/patches/Reduce-udevadm-settle-timeout-to-10-seconds.patch (+9/-11)
debian/patches/series (+30/-0)
debian/patches/ubuntu-aa/0001-apparmor-Allow-pygrub-to-run-on-Debian-Ubuntu.patch (+28/-0)
debian/patches/ubuntu-aa/0003-apparmor-libvirt-qemu-Allow-read-access-to-overcommi.patch (+30/-0)
debian/patches/ubuntu-aa/0007-apparmor-libvirt-qemu-Allow-owner-read-access-to-PRO.patch (+28/-0)
debian/patches/ubuntu-aa/0017-apparmor-virt-aa-helper-Allow-access-to-tmp-director.patch (+25/-0)
debian/patches/ubuntu-aa/0020-virt-aa-helper-ubuntu-storage-paths.patch (+37/-0)
debian/patches/ubuntu-aa/0021-apparmor-virt-aa-helper-Add-openvswitch-support.patch (+33/-0)
debian/patches/ubuntu-aa/0029-appmor-libvirt-qemu-Add-9p-support.patch (+34/-0)
debian/patches/ubuntu-aa/0030-virt-aa-helper-Complete-9p-support.patch (+36/-0)
debian/patches/ubuntu-aa/0031-virt-aa-helper-Ask-for-no-deny-rule-for-readonly-dis.patch (+43/-0)
debian/patches/ubuntu-aa/0032-apparmor-libvirt-qemu-Allow-reading-charm-specific-c.patch (+34/-0)
debian/patches/ubuntu-aa/0033-UBUNTU-only-apparmor-for-kvm.powerpc-LP-1680384.patch (+41/-0)
debian/patches/ubuntu-aa/0034-apparmor-virt-aa-helper-access-for-snapped-nova.patch (+33/-0)
debian/patches/ubuntu-aa/0050-local-include-for-libvirt-qemu.patch (+19/-0)
debian/patches/ubuntu-aa/lp-1815910-allow-vhost-hotplug.patch (+57/-0)
debian/patches/ubuntu-aa/lp-1833040-Add-openGraphicsFD-rule-for-named-profile.patch (+39/-0)
debian/patches/ubuntu/Allow-libvirt-group-to-access-the-socket.patch (+64/-0)
debian/patches/ubuntu/apibuild-skip-libvirt-common.h (+31/-0)
debian/patches/ubuntu/avoid-restarting-virtlog-socket.patch (+33/-0)
debian/patches/ubuntu/daemon-augeas-fix-expected.patch (+28/-0)
debian/patches/ubuntu/dnsmasq-as-priv-user (+240/-0)
debian/patches/ubuntu/ovmf_paths.patch (+60/-0)
debian/patches/ubuntu/parallel-shutdown.patch (+25/-0)
debian/patches/ubuntu/set-default-machine-to-ubuntu.patch (+45/-0)
debian/patches/ubuntu/ubuntu-libxl-Fix-up-VRAM-to-minimum-requirements.patch (+117/-0)
debian/patches/ubuntu/ubuntu-libxl-qemu-path.patch (+31/-0)
debian/patches/ubuntu/ubuntu_machine_type.patch (+14/-0)
debian/patches/ubuntu/xen-default-uri.patch (+28/-0)
debian/rules (+24/-11)
debian/tests/control (+3/-2)
debian/tests/smoke-lxc (+2/-2)
debian/tests/smoke-qemu-session (+5/-0)
debian/tests/smoke-qemu-session.xml (+2/-2)
dev/null (+0/-161)
docs/404.html (+1/-1)
docs/Makefile.am (+24/-14)
docs/Makefile.in (+24/-16)
docs/acl.html (+1/-1)
docs/aclpolkit.html (+1/-1)
docs/api.html (+1/-1)
docs/api_extension.html (+1/-1)
docs/apps.html (+1/-1)
docs/architecture.html (+1/-1)
docs/auditlog.html (+1/-1)
docs/auth.html (+1/-1)
docs/bindings.html (+1/-1)
docs/bugs.html (+1/-1)
docs/cgroups.html (+1/-1)
docs/compiling.html (+1/-1)
docs/contact.html (+1/-1)
docs/contribute.html (+1/-1)
docs/csharp.html (+1/-1)
docs/dbus.html (+1/-1)
docs/devguide.html (+1/-1)
docs/devhelp/libvirt-libvirt-common.html (+292/-0)
docs/devhelp/libvirt-libvirt-domain-snapshot.html (+536/-0)
docs/devhelp/libvirt-libvirt-domain.html (+5889/-0)
docs/devhelp/libvirt-libvirt-event.html (+252/-0)
docs/devhelp/libvirt-libvirt-host.html (+978/-0)
docs/devhelp/libvirt-libvirt-interface.html (+288/-0)
docs/devhelp/libvirt-libvirt-network.html (+461/-0)
docs/devhelp/libvirt-libvirt-nodedev.html (+359/-0)
docs/devhelp/libvirt-libvirt-nwfilter.html (+256/-0)
docs/devhelp/libvirt-libvirt-secret.html (+315/-0)
docs/devhelp/libvirt-libvirt-storage.html (+864/-0)
docs/devhelp/libvirt-libvirt-stream.html (+582/-0)
docs/devhelp/libvirt.devhelp (+2/-0)
docs/docs.html (+1/-1)
docs/downloads.html (+1/-1)
docs/drivers.html (+2/-58)
docs/drivers.html.in (+1/-15)
docs/drvbhyve.html (+1/-1)
docs/drvesx.html (+1/-1)
docs/drvhyperv.html (+1/-1)
docs/drvlxc.html (+1/-1)
docs/drvnodedev.html (+1/-1)
docs/drvopenvz.html (+1/-1)
docs/drvphyp.html (+1/-1)
docs/drvqemu.html (+1/-1)
docs/drvremote.html (+1/-1)
docs/drvtest.html (+1/-1)
docs/drvvbox.html (+1/-1)
docs/drvvirtuozzo.html (+1/-1)
docs/drvvmware.html (+1/-1)
docs/drvxen.html (+1/-1)
docs/errors.html (+1/-1)
docs/firewall.html (+1/-1)
docs/format.html (+1/-1)
docs/formatcaps.html (+1/-1)
docs/formatdomain.html (+4/-4)
docs/formatdomain.html.in (+1/-1)
docs/formatdomaincaps.html (+4/-5)
docs/formatdomaincaps.html.in (+3/-4)
docs/formatnetwork.html (+1/-1)
docs/formatnode.html (+1/-1)
docs/formatnwfilter.html (+1/-1)
docs/formatsecret.html (+1/-1)
docs/formatsnapshot.html (+1/-1)
docs/formatstorage.html (+1/-1)
docs/formatstoragecaps.html (+1/-1)
docs/formatstorageencryption.html (+1/-1)
docs/goals.html (+1/-1)
docs/governance.html (+1/-1)
docs/hacking.html (+70/-1)
docs/hacking.html.in (+61/-0)
docs/hooks.html (+1/-1)
docs/html/index.html (+1/-1)
docs/html/libvirt-libvirt-common.html (+1/-1)
docs/html/libvirt-libvirt-domain-snapshot.html (+1/-1)
docs/html/libvirt-libvirt-domain.html (+23/-3)
docs/html/libvirt-libvirt-event.html (+1/-1)
docs/html/libvirt-libvirt-host.html (+1/-1)
docs/html/libvirt-libvirt-interface.html (+1/-1)
docs/html/libvirt-libvirt-network.html (+1/-1)
docs/html/libvirt-libvirt-nodedev.html (+1/-1)
docs/html/libvirt-libvirt-nwfilter.html (+1/-1)
docs/html/libvirt-libvirt-secret.html (+1/-1)
docs/html/libvirt-libvirt-storage.html (+1/-1)
docs/html/libvirt-libvirt-stream.html (+1/-1)
docs/html/libvirt-virterror.html (+1/-1)
docs/hvsupport.html (+5/-5)
docs/hvsupport.html.in (+4/-4)
docs/index.html (+1/-1)
docs/internals.html (+1/-1)
docs/internals/command.html (+1/-1)
docs/internals/eventloop.html (+1/-1)
docs/internals/locking.html (+1/-1)
docs/internals/oomtesting.html (+1/-1)
docs/internals/rpc.html (+1/-1)
docs/java.html (+1/-1)
docs/libvirt-api.xml (+12/-2)
docs/libvirt-refs.xml (+19/-0)
docs/locking-lockd.html (+1/-1)
docs/locking-sanlock.html (+1/-1)
docs/locking.html (+1/-1)
docs/logging.html (+1/-1)
docs/migration.html (+1/-1)
docs/news-2005.html (+1/-1)
docs/news-2006.html (+1/-1)
docs/news-2007.html (+1/-1)
docs/news-2008.html (+1/-1)
docs/news-2009.html (+1/-1)
docs/news-2010.html (+1/-1)
docs/news-2011.html (+1/-1)
docs/news-2012.html (+1/-1)
docs/news-2013.html (+1/-1)
docs/news-2014.html (+1/-1)
docs/news-2015.html (+1/-1)
docs/news-2016.html (+1/-1)
docs/news.html (+73/-1)
docs/news.html.in (+43/-1)
docs/news.xml (+85/-0)
docs/nss.html (+1/-1)
docs/pci-hotplug.html (+1/-1)
docs/php.html (+1/-1)
docs/platforms.html (+1/-1)
docs/python.html (+1/-1)
docs/remote.html (+1/-1)
docs/secureusage.html (+1/-1)
docs/securityprocess.html (+1/-1)
docs/storage.html (+1/-1)
docs/support.html (+1/-1)
docs/testapi.html (+1/-1)
docs/testsuites.html (+1/-1)
docs/testtck.html (+1/-1)
docs/todo.html (+1/-1)
docs/uri.html (+1/-1)
docs/virshcmdref.html (+1/-1)
docs/windows.html (+1/-1)
examples/Makefile.am (+37/-5)
examples/Makefile.in (+43/-10)
gnulib/lib/Makefile.in (+0/-2)
gnulib/tests/Makefile.in (+0/-2)
include/libvirt/Makefile.in (+0/-2)
include/libvirt/libvirt-common.h (+1/-1)
include/libvirt/libvirt-domain.h (+13/-1)
libvirt.spec (+12/-29)
libvirt.spec.in (+11/-28)
m4/virt-external-programs.m4 (+7/-19)
m4/virt-udev.m4 (+2/-17)
m4/virt-yajl.m4 (+11/-1)
mingw-libvirt.spec.in (+1/-1)
po/Makefile.in (+0/-2)
po/af.po (+2668/-2639)
po/am.po (+2668/-2639)
po/anp.po (+2668/-2639)
po/ar.po (+2668/-2639)
po/as.po (+2668/-2639)
po/ast.po (+2668/-2639)
po/bal.po (+2668/-2639)
po/be.po (+2668/-2639)
po/bg.po (+2668/-2639)
po/bn.po (+2668/-2639)
po/bn_IN.po (+2668/-2639)
po/bo.po (+2668/-2639)
po/br.po (+2668/-2639)
po/brx.po (+2668/-2639)
po/bs.po (+2668/-2639)
po/ca.po (+2668/-2639)
po/cs.po (+2668/-2639)
po/cy.po (+2668/-2639)
po/da.po (+2668/-2639)
po/de.po (+2668/-2639)
po/de_CH.po (+2668/-2639)
po/el.po (+2668/-2639)
po/en_GB.po (+2668/-2639)
po/eo.po (+2668/-2639)
po/es.po (+2668/-2639)
po/et.po (+2668/-2639)
po/eu.po (+2668/-2639)
po/fa.po (+2668/-2639)
po/fi.po (+2668/-2639)
po/fil.po (+2668/-2639)
po/fr.po (+2668/-2639)
po/fur.po (+2668/-2639)
po/ga.po (+2668/-2639)
po/gl.po (+2668/-2639)
po/gu.po (+2668/-2639)
po/he.po (+2668/-2639)
po/hi.po (+2668/-2639)
po/hr.po (+2668/-2639)
po/hu.po (+2668/-2639)
po/ia.po (+2668/-2639)
po/id.po (+2668/-2639)
po/ilo.po (+2668/-2639)
po/is.po (+2668/-2639)
po/it.po (+2668/-2639)
po/ja.po (+2668/-2639)
po/ka.po (+2668/-2639)
po/kk.po (+2668/-2639)
po/km.po (+2668/-2639)
po/kn.po (+2668/-2639)
po/ko.po (+2668/-2639)
po/kw.po (+2668/-2639)
po/kw@kkcor.po (+2668/-2639)
po/kw@uccor.po (+2668/-2639)
po/kw_GB.po (+2668/-2639)
po/ky.po (+2668/-2639)
po/libvirt.pot (+2669/-2640)
po/lt.po (+2668/-2639)
po/lv.po (+2668/-2639)
po/mai.po (+2668/-2639)
po/mk.po (+2668/-2639)
po/ml.po (+2668/-2639)
po/mn.po (+2668/-2639)
po/mr.po (+2668/-2639)
po/ms.po (+2668/-2639)
po/my.po (+2668/-2639)
po/nb.po (+2668/-2639)
po/nds.po (+2668/-2639)
po/ne.po (+2668/-2639)
po/nl.po (+2668/-2639)
po/nn.po (+2668/-2639)
po/nso.po (+2668/-2639)
po/or.po (+2668/-2639)
po/pa.po (+2668/-2639)
po/pl.po (+2668/-2639)
po/pt.po (+2668/-2639)
po/pt_BR.po (+2668/-2639)
po/ro.po (+2668/-2639)
po/ru.po (+2668/-2639)
po/si.po (+2668/-2639)
po/sk.po (+2668/-2639)
po/sl.po (+2668/-2639)
po/sq.po (+2668/-2639)
po/sr.po (+2668/-2639)
po/sr@latin.po (+2668/-2639)
po/sv.po (+2668/-2639)
po/ta.po (+2668/-2639)
po/te.po (+2668/-2639)
po/tg.po (+2668/-2639)
po/th.po (+2668/-2639)
po/tr.po (+2668/-2639)
po/tw.po (+2668/-2639)
po/uk.po (+2675/-2646)
po/ur.po (+2668/-2639)
po/vi.po (+2668/-2639)
po/wba.po (+2668/-2639)
po/yo.po (+2668/-2639)
po/zh_CN.po (+2668/-2639)
po/zh_HK.po (+2668/-2639)
po/zh_TW.po (+2668/-2639)
po/zu.po (+2668/-2639)
src/Makefile.am (+1/-1)
src/Makefile.in (+14/-28)
src/admin/admin_server_dispatch.c (+22/-0)
src/conf/domain_conf.c (+27/-14)
src/conf/domain_conf.h (+1/-0)
src/conf/moment_conf.c (+28/-2)
src/conf/moment_conf.h (+5/-2)
src/conf/snapshot_conf.c (+97/-70)
src/conf/snapshot_conf.h (+2/-2)
src/conf/virdomainmomentobjlist.c (+3/-4)
src/conf/virdomainsnapshotobjlist.c (+1/-1)
src/conf/virstorageobj.c (+3/-9)
src/cpu/cpu_x86.c (+0/-2)
src/cpu_map/x86_features.xml (+3/-0)
src/esx/esx_driver.c (+9/-10)
src/libvirt-domain.c (+4/-0)
src/libvirt_private.syms (+1/-1)
src/libvirt_remote.syms (+1/-0)
src/locking/Makefile.inc.am (+1/-3)
src/locking/virtlockd-admin.socket.in (+1/-0)
src/locking/virtlockd.socket.in (+1/-0)
src/logging/Makefile.inc.am (+1/-3)
src/logging/virtlogd-admin.socket.in (+1/-0)
src/logging/virtlogd.socket.in (+1/-0)
src/network/Makefile.inc.am (+1/-1)
src/network/bridge_driver.c (+34/-41)
src/network/bridge_driver_linux.c (+84/-15)
src/network/bridge_driver_nop.c (+2/-1)
src/network/bridge_driver_platform.h (+1/-1)
src/node_device/node_device_udev.c (+0/-43)
src/qemu/qemu_blockjob.c (+1/-1)
src/qemu/qemu_blockjob.h (+1/-2)
src/qemu/qemu_capabilities.c (+52/-8)
src/qemu/qemu_command.c (+42/-66)
src/qemu/qemu_domain.c (+240/-53)
src/qemu/qemu_domain.h (+15/-8)
src/qemu/qemu_driver.c (+127/-124)
src/qemu/qemu_hotplug.c (+6/-74)
src/qemu/qemu_migration.c (+9/-12)
src/qemu/qemu_monitor.c (+9/-8)
src/qemu/qemu_monitor.h (+3/-2)
src/qemu/qemu_monitor_json.c (+17/-27)
src/qemu/qemu_monitor_json.h (+3/-2)
src/qemu/qemu_process.c (+9/-1)
src/qemu/qemu_qapi.c (+275/-109)
src/rpc/virnetserver.c (+6/-2)
src/rpc/virnetsshsession.c (+0/-3)
src/security/Makefile.inc.am (+0/-2)
src/security/virt-aa-helper.c (+3/-2)
src/storage/Makefile.inc.am (+1/-1)
src/test/test_driver.c (+175/-13)
src/util/virbuffer.c (+3/-4)
src/util/virbuffer.h (+1/-1)
src/util/vircommand.c (+3/-0)
src/util/virhostdev.c (+0/-3)
src/util/virpolkit.c (+1/-0)
src/util/virresctrl.c (+3/-3)
src/util/virsysinfo.c (+13/-12)
src/util/virutil.c (+7/-14)
src/vbox/vbox_common.c (+47/-48)
src/vz/vz_driver.c (+4/-5)
src/vz/vz_sdk.c (+5/-5)
tests/Makefile.am (+1/-1)
tests/Makefile.in (+6/-7)
tests/commandtest.c (+1/-1)
tests/cputest.c (+1/-0)
tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-disabled.xml (+7/-0)
tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-enabled.xml (+8/-0)
tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml (+29/-0)
tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml (+30/-0)
tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml (+12/-0)
tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.json (+652/-0)
tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.sig (+4/-0)
tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.xml (+47/-0)
tests/cputestdata/x86_64-cpuid-Xeon-Platinum-8268-guest.xml (+1/-0)
tests/cputestdata/x86_64-cpuid-Xeon-Platinum-8268-host.xml (+1/-0)
tests/domaincapsschemadata/qemu_4.0.0.s390x.xml (+198/-0)
tests/domaincapsschemadata/qemu_4.0.0.x86_64.xml (+1/-1)
tests/domaincapstest.c (+4/-0)
tests/domainsnapshotxml2xmltest.c (+1/-2)
tests/networkxml2firewalldata/base.args (+116/-0)
tests/networkxml2firewalltest.c (+30/-6)
tests/qemublocktest.c (+2/-1)
tests/qemucapabilitiesdata/caps_2.12.0.aarch64.replies (+16/-32)
tests/qemucapabilitiesdata/caps_2.12.0.ppc64.replies (+145/-145)
tests/qemucapabilitiesdata/caps_2.12.0.s390x.replies (+18/-34)
tests/qemucapabilitiesdata/caps_2.12.0.x86_64.replies (+24/-40)
tests/qemucapabilitiesdata/caps_3.0.0.ppc64.replies (+150/-150)
tests/qemucapabilitiesdata/caps_3.0.0.riscv32.replies (+12/-28)
tests/qemucapabilitiesdata/caps_3.0.0.riscv64.replies (+12/-28)
tests/qemucapabilitiesdata/caps_3.0.0.s390x.replies (+18/-34)
tests/qemucapabilitiesdata/caps_3.0.0.x86_64.replies (+24/-40)
tests/qemucapabilitiesdata/caps_3.1.0.ppc64.replies (+172/-143)
tests/qemucapabilitiesdata/caps_3.1.0.x86_64.replies (+24/-40)
tests/qemucapabilitiesdata/caps_4.0.0.aarch64.replies (+19981/-0)
tests/qemucapabilitiesdata/caps_4.0.0.aarch64.xml (+310/-0)
tests/qemucapabilitiesdata/caps_4.0.0.ppc64.replies (+24004/-0)
tests/qemucapabilitiesdata/caps_4.0.0.ppc64.xml (+1077/-0)
tests/qemucapabilitiesdata/caps_4.0.0.riscv32.replies (+17/-33)
tests/qemucapabilitiesdata/caps_4.0.0.riscv32.xml (+2/-2)
tests/qemucapabilitiesdata/caps_4.0.0.riscv64.replies (+17/-33)
tests/qemucapabilitiesdata/caps_4.0.0.riscv64.xml (+2/-2)
tests/qemucapabilitiesdata/caps_4.0.0.s390x.replies (+21498/-0)
tests/qemucapabilitiesdata/caps_4.0.0.s390x.xml (+2894/-0)
tests/qemucapabilitiesdata/caps_4.0.0.x86_64.replies (+1681/-1532)
tests/qemucapabilitiesdata/caps_4.0.0.x86_64.xml (+6/-20)
tests/qemumonitorjsontest.c (+85/-34)
tests/qemuxml2argvdata/aarch64-os-firmware-efi.aarch64-latest.args (+1/-1)
tests/qemuxml2argvdata/aarch64-virt-graphics.aarch64-latest.args (+1/-1)
tests/qemuxml2argvdata/aarch64-virt-headless.aarch64-latest.args (+1/-1)
tests/qemuxml2argvdata/cpu-host-model-cmt.args (+1/-1)
tests/qemuxml2argvdata/cpu-no-removed-features.args (+5/-3)
tests/qemuxml2argvdata/cpu-no-removed-features.xml (+23/-0)
tests/qemuxml2argvdata/cpu-tsc-frequency.args (+2/-2)
tests/qemuxml2argvdata/intel-iommu-caching-mode.x86_64-latest.args (+9/-11)
tests/qemuxml2argvdata/intel-iommu-caching-mode.xml (+1/-22)
tests/qemuxml2argvdata/intel-iommu-device-iotlb.x86_64-latest.args (+32/-0)
tests/qemuxml2argvdata/intel-iommu-device-iotlb.xml (+1/-0)
tests/qemuxml2argvdata/intel-iommu-eim.x86_64-latest.args (+10/-5)
tests/qemuxml2argvdata/intel-iommu-eim.xml (+1/-0)
tests/qemuxml2argvdata/intel-iommu-wrong-machine.xml (+3/-5)
tests/qemuxml2argvdata/intel-iommu.x86_64-2.6.0.args (+6/-3)
tests/qemuxml2argvdata/intel-iommu.x86_64-latest.args (+12/-6)
tests/qemuxml2argvdata/intel-iommu.xml (+1/-0)
tests/qemuxml2argvdata/iothreads-virtio-scsi-ccw.s390x-latest.args (+3/-3)
tests/qemuxml2argvdata/s390x-ccw-graphics.s390x-latest.args (+1/-1)
tests/qemuxml2argvdata/s390x-ccw-headless.s390x-latest.args (+1/-1)
tests/qemuxml2argvdata/vhost-vsock-ccw-auto.s390x-latest.args (+1/-1)
tests/qemuxml2argvdata/vhost-vsock-ccw.s390x-latest.args (+1/-1)
tests/qemuxml2argvtest.c (+8/-27)
tests/qemuxml2xmloutdata/intel-iommu-caching-mode.x86_64-latest.xml (+1/-22)
tests/qemuxml2xmloutdata/intel-iommu-device-iotlb.x86_64-latest.xml (+1/-0)
tests/qemuxml2xmloutdata/intel-iommu-eim.x86_64-latest.xml (+1/-0)
tests/qemuxml2xmloutdata/intel-iommu.x86_64-2.6.0.xml (+2/-1)
tests/qemuxml2xmloutdata/intel-iommu.x86_64-latest.xml (+1/-0)
tests/qemuxml2xmltest.c (+5/-10)
tests/storagepoolxml2argvtest.c (+0/-1)
tests/virbuftest.c (+27/-0)
tests/virfilemock.c (+3/-0)
tests/virhostdevtest.c (+12/-49)
tests/virstoragetest.c (+1/-1)
tests/virtestmock.c (+5/-1)
tools/Makefile.in (+0/-2)
tools/virsh-domain-monitor.c (+6/-0)
tools/virsh.1.in (+5/-1)
tools/virsh.pod (+4/-0)

Revision history for this message

Didier Roche-Tolomelli (didrocks) wrote on 2019-06-17:

Dependencies.txt Edit (2.8 KiB, text/plain; charset="utf-8")
KernLog.txt Edit (11.6 KiB, text/plain; charset="utf-8")
ProcCpuinfoMinimal.txt Edit (1.3 KiB, text/plain; charset="utf-8")
ProcEnviron.txt Edit (334 bytes, text/plain; charset="utf-8")
RelatedPackageVersions.txt Edit (149 bytes, text/plain; charset="utf-8")

Revision history for this message

Launchpad Janitor (janitor) wrote on 2019-06-18:

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in libvirt (Ubuntu):
status:	New → Confirmed

Revision history for this message

Dimitri John Ledkov (xnox) wrote on 2019-06-18:

As a workaround I have created:
/etc/apparmor.d/local/abstractions/libvirt-qemu

with contents:
unix,

which allows doing anything/everything with sockets. It should be more fine-grained than that.

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2019-06-18:

Thanks Didier and Dimitri!

I'll take a look at a more fine grained rule - but right now a few other blockers need to get out of the way first :-/

tags:	added: libvirt-19.10
Changed in libvirt (Ubuntu):
status:	Confirmed → Triaged
importance:	Undecided → Medium
assignee:	nobody → Christian Ehrhardt  (paelzer)

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2019-06-19:

As I assumed easily reproducible

[ 7152.173377] audit: type=1400 audit(1560925171.038:439): apparmor="DENIED" operation="file_r50-221da1d95974" pid=18422 comm="qemu-system-x86" family="unix" sock_type="stream" protocol=0 "

Compared to other denies this is really rather low on extra qualifiers - I see why you just added "unix," for now :-/

We used to have this for the past few releases:
unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),

The peer detection is gone now, I have now good idea why, but essentially for libvirt 4.0 we have to trim the rule to
unix (send, receive) type=stream addr=none,

Which still a rather (too) open rule.

Further I have realized that your systems (which are Eoan, while I'm eoan LXD on Bionic+HWE 4.18) actually detect a peer, but with the path changed.
- kernel 5.0.0-16 (Eoan) peer="libvirtd"
- kernel 4.18 (Bionic + HWE) no peer detected
- older libvirt peer=(label=/usr/sbin/libvirtd)

I started a discussion in #security
if nothing comes back I'll set jdstrand to CC anyway when submitting something upstream, maybe he has an idea why the peer detection was changed.

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2019-06-19:

In a Eoan VM I can recreate your case (with peer = libvirt without path)

I was discussing with jjohansen, but we couldn't easily identify a apparmor related change.
I'd think we actually have two cases here:
- there was some libvirt change that slightly changed how this is called
  - in LXD+HWE kernel this leads to no peer detection at all - but that is an unsupported corner
    case anyway, and might even be good with a newer kernel like the one you have
  - in normal execution the peer detection changed from "/usr/sbin/libvirtd" to "libvirtd"
  - the latter might be depending on the kernel, so e.g. UCA backports might see the old one

Ha I found the change that triggered this and a partial cleanup:
Trigger: https://libvirt.org/git/?p=libvirt.git;a=commit;h=a3ab6d42
Partial cleanup: https://libvirt.org/git/?p=libvirt.git;a=commit;h=4ec3cf9a

Ok, the needed change is clear let me suggest it upstream.

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2019-06-19:

This works as expected:
unix (send, receive) type=stream addr=none peer=(label=libvirtd),

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2019-06-19:

Submitted upstream, once accepted a fix in Eoan should be trivial
=> https://www.redhat.com/archives/libvir-list/2019-June/msg00722.html

Revision history for this message

Didier Roche-Tolomelli (didrocks) wrote on 2019-06-19:

Thanks for keeping us posted Christian :)

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2019-06-19:

#10

Acked and Pushed upstream, prepping an Eoan upload.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2019-06-19:

#11

This bug was fixed in the package libvirt - 5.4.0-0ubuntu2

---------------
libvirt (5.4.0-0ubuntu2) eoan; urgency=medium

  * d/p/ubuntu-aa/lp-1833040-Add-openGraphicsFD-rule-for-named-profile.patch:
    avoid issues with remote screen connections like virt-manager due to
    apparmor changes in libvirt 5.1 (LP: #1833040)

-- Christian Ehrhardt <email address hidden> Wed, 19 Jun 2019 14:34:54 +0200

Changed in libvirt (Ubuntu):
status:	Triaged → Fix Released

Revision history for this message

John Johansen (jjohansen) wrote on 2019-06-19:

#12

[ 7152.173377] audit: type=1400 audit(1560925171.038:439): apparmor="DENIED" operation="file_r50-221da1d95974" pid=18422 comm="qemu-system-x86" family="unix" sock_type="stream" protocol=0 "

is really bothering me. This should not be possible. operation="file_r50-221da1d95974" does NOT exist, this looks like memory corruption. And several of the other fields that are missing would trigger AA_BUG.

Sadly I don't have this figured out yet.

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

Bug #1833227

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntulibvirt package

virt-manager fails to show virtual console: internal error: unable to execute QEMU command 'getfd': No file descriptor supplied via SCM_RIGHTS

Bug Description

Related branches

Duplicates of this bug

Other bug subscribers

Bug attachments

Remote bug watches

Ubuntu
libvirt package