Cannot use /usr/lib/u-boot/qemu-riscv64_smode/uboot.elf as bootloader due to AppArmor
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libvirt (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Jammy |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[ Impact ]
* Riscv gets more and more common, but still lacking
real (or powerful) HW it is often used in an emulated
environment. So far people usually directly call qemu,
but for the benefit of better lifecycle management and
many comfort features they start to drive it through
libvirt. But when doing so they are blocked by the
apparmor guest isolation.
* Fix by allowing virt-aa-helper to consider adding
the paths that Ubuntu delivers the boot elements
for riscv64. That means only guests configuring
for it in the XML can access that - and even those
just read-only
[ Test Plan ]
# apt install -y libvirt-
# wget https:/
# unxz ubuntu-
# mv ubuntu-
# cat << EOF > riscv-guest.xml
<domain type='qemu'>
<name>
<os>
<type arch='riscv64' machine=
<kernel>
<loader readonly="yes" type="rom"
</os>
<memory unit="GiB"
<vcpu placement=
<devices>
<disk type='file' device='disk' cache='none'>
<driver name='qemu' type='raw'/>
<source file='/
<target dev='sda' bus='scsi'/>
</disk>
<controller type='scsi' model='
<interface type='network'>
<source network='default'/>
<target dev='vnet0'/>
<console type='pty'>
<target type='serial' port='0'/>
</console>
</devices>
</domain>
EOF
# virsh define riscv-guest.xml
# virsh start ubuntu22.10-riscv64
error: Failed to start domain 'ubuntu22.
error: internal error: cannot load AppArmor profile 'libvirt-
And in the journal I pick up the mentioned error:
internal error: Child process (LIBVIRT_
internal error: cannot load AppArmor profile 'libvirt-
With the fix in place virt-aa-helper will no more spill those messages to the log and create a per-guest file that allows the access to those files.
[ Where problems could occur ]
* This is not reducing, but allowing more access and therefore
has much smaller regression risk than vice versa. To be on the
save side (as with other roms and such) we only add this to
the guest rules when configured on the host and never with a
write rule. Together that is considered safe.
* So much for safety, on the functional side if we messed up
virt-aa-helper the potential regressions would be
a) break when executed -> no apparmor rules breaking guest start
b) runs, but emits odd rules -> guest could access more
Gladly the change is rather small and both risks are considered
highly unlikely, but in any case that is how the potential risk would
most likely surface.
[ Other Info ]
@SRU team - 1989078 (just entered J-proposed) and 1990499 (this upload) could land together in Jammy if you want. It is just that 1989078 was delayed for quite some time waiting in -unapproved, but I'm more than happy to re-generate 8.0.0-1ubuntu7.3 with -V 8.0.0-1ubuntu7.1 - in that case we could have ONE (1) update released to users.
Avoids one extra download for many people.
And they are even thematically close (apparmor handling for less common architectures)
Ping me (paelzer) if you prefer to do it this way.
---- original report ----
I am trying to adapt the guide to booting the riscv64 QEMU image from https:/
Sep 22 11:07:06 Isaac-Laptop libvirtd[6243]: internal error: Child process (LIBVIRT_
75: info : libvirt version: 8.0.0, package: 1ubuntu7.1 (Christian Ehrhardt <email address hidden> Thu, 19 May 2022 08:14:48 +0200)#
56675: error : virStorageFileB
le#012virt-
This seems to be caused by the U-Boot path not being permitted by AppArmor to be used by libvirt.
I'm using the following XML snippet for setting the loader and kernel (adapted from the QEMU instructions):
<os>
<type arch="riscv64" machine=
<loader readonly="yes" type="rom"
<kernel>
</os>
Moving the U-Boot binary to /var/tmp/uboot.elf resolves this issue, but libvirt then generates another AppArmor error due to the fw_jump.elf file:
Sep 22 11:12:09 Isaac-Laptop libvirtd[6243]: internal error: Child process (LIBVIRT_
Moving this to /var/tmp/
Should these two file paths be added to the AppArmor rules? Maybe the equivalent paths for all architectures should be added?
---
$ lsb_release -rd
Description: Ubuntu 22.04.1 LTS
Release: 22.04
$ apt policy libvirt0
libvirt0:
Installed: 8.0.0-1ubuntu7.1
Candidate: 8.0.0-1ubuntu7.1
Version table:
*** 8.0.0-1ubuntu7.1 500
500 http://
100 /var/lib/
8.0.0-1ubuntu7 500
500 http://
Related branches
- git-ubuntu bot: Approve
- Sergio Durigan Junior (community): Approve
- Canonical Server Reporter: Pending requested
-
Diff: 278 lines (+250/-0)4 files modifieddebian/changelog (+9/-0)
debian/patches/series (+2/-0)
debian/patches/ubuntu/lp-1990499-virt-aa-helper-allow-common-riscv64-loader-paths.patch (+58/-0)
debian/patches/ubuntu/lp-1990949-virpcivpd-reduce-errors-in-log-due-to-invalid-VPD.patch (+181/-0)
- git-ubuntu bot: Approve
- Sergio Durigan Junior (community): Approve
- Canonical Server Reporter: Pending requested
-
Diff: 88 lines (+66/-0)3 files modifieddebian/changelog (+7/-0)
debian/patches/series (+1/-0)
debian/patches/ubuntu/lp-1990499-virt-aa-helper-allow-common-riscv64-loader-paths.patch (+58/-0)
Thank Isaac, I thought we do generate the paths in loader / kernel in aa-helper into the rules.
If not we should :-)
I'll need some time to have a real look myself, and time is scarce atm :-/
Can you until then provide:
1. the release you are on
2. the packages you installed to get uboot and all other elements in place
3. the full guest XML you are using