AppArmor: Allow VM to read sysfs PCI config, revision files (!151) · Merge requests · libvirt / libvirt

Max Goodhart requested to merge chromakode/libvirt:apparmor-dri-config-revision into master May 07, 2022

I recently upgraded from Ubuntu 21.10 to 22.04. I have an existing VM with virtio video and gl-accelerated Spice display which previously worked.

After the upgrade, virt-manager and virt-viewer display a blank screen. In the qemu libvirt logs, I observe many repetitions of:

qemu_spice_gl_scanout_texture: failed to get fd for texture

dmesg contains these AppArmor errors:

[250001.100362] audit: type=1400 audit(1651958128.696:706): apparmor="DENIED" operation="open" profile="libvirt-98a090a8-2fdf-463c-959b-810e5bc88b0d" name="/sys/devices/pci0000:00/0000:00:02.0/revision" pid=132725 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
[250001.100367] audit: type=1400 audit(1651958128.696:707): apparmor="DENIED" operation="open" profile="libvirt-98a090a8-2fdf-463c-959b-810e5bc88b0d" name="/sys/devices/pci0000:00/0000:00:02.0/config" pid=132725 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0

Modifying the AppArmor config for this VM to permit access to the revision and config sysfs paths fixed this issue for me. The VM display is visible and virgl is working.

Edited May 07, 2022 by Max Goodhart

Admin message

AppArmor: Allow VM to read sysfs PCI config, revision files

Merge request reports