Bug 1659775
| Summary: | AppArmor breaks virtio-gpu + virgl | ||
|---|---|---|---|
| Product: | [Community] Virtualization Tools | Reporter: | intrigeri <intrigeri> |
| Component: | libvirt | Assignee: | Libvirt Maintainers <libvirt-maint> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | unspecified | CC: | intrigeri, libvirt-maint, mprivozn |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | libvirt-5.2.0 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-05-21 09:21:07 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I believe this is fixed by:
commit 27a9ebf28183cb3c3c784fcab622e67e978eb3dc
Author: Christian Ehrhardt <christian.ehrhardt>
AuthorDate: Tue Feb 12 11:12:52 2019 +0100
Commit: Christian Ehrhardt <christian.ehrhardt>
CommitDate: Mon Feb 25 08:57:33 2019 +0100
security: aa-helper: generate more rules for gl devices
Change fb01e1a44 "virt-aa-helper: generate rules for gl enabled
graphics devices" implemented the detection for gl enabled
devices in virt-aa-helper. But further testing showed
that it will need much more access for the full gl stack
to work.
Upstream apparmor just recently split those things out and now
has two related abstractions at
https://gitlab.com/apparmor/apparmor/blob/master:
- dri-common at /profiles/apparmor.d/abstractions/dri-common
- mesa: at /profiles/apparmor.d/abstractions/mesa
If would be great to just include that for the majority of
rules, but they are not yet in any distribution so we need
to add rules inspired by them based on the testing that we
can do.
Furthermore qemu with opengl will also probe the backing device
of the rendernode for attributes which should be safe as
read-only wildcard rules.
Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1815452
Acked-by: Jamie Strandboge <jamie>
Signed-off-by: Christian Ehrhardt <christian.ehrhardt>
And:
commit 00fbb9e51678f76effa2d20e78a9be861ad5f484
Author: Christian Ehrhardt <christian.ehrhardt>
AuthorDate: Fri Mar 1 07:25:59 2019 +0100
Commit: Christian Ehrhardt <christian.ehrhardt>
CommitDate: Wed Mar 6 11:29:55 2019 +0100
security: aa-helper: nvidia rules for gl devices
Further testing with different devices showed that we need more rules
to drive gl backends with nvidia cards. Related denies look like:
apparmor="DENIED" operation="open"
name="/usr/share/egl/egl_external_platform.d/"
requested_mask="r"
apparmor="DENIED" operation="open"
name="/proc/modules"
requested_mask="r"
apparmor="DENIED" operation="open"
name="/proc/driver/nvidia/params"
requested_mask="r"
apparmor="DENIED" operation="mknod"
name="/dev/nvidiactl"
requested_mask="c"
Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1817943
Acked-by: Jamie Strandboge <jamie>
Signed-off-by: Christian Ehrhardt <christian.ehrhardt>
|
On a Debian sid host with AppArmor enabled, a guest with virtio-gpu + virgl enabled fails to start with: qemu-system-x86_64: egl: no drm render node available qemu-system-x86_64: Failed to initialize EGL render node for SPICE GL … and I see a bunch of AppArmor denials in the logs. Version-Release number of selected component (if applicable): libvirt 4.10.0-1 on Debian sid To workaround this problem, here's the minimal set of rules I had to add to /etc/apparmor.d/libvirt/TEMPLATE.qemu: /dev/dri/ r, /dev/dri/renderD128 rw, /etc/drirc r, /{etc,usr/share}/glvnd/egl_vendor.d/ r, /{etc,usr/share}/glvnd/egl_vendor.d/*.json r, /sys/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r, /usr/lib/x86_64-linux-gnu/dri/*_dri.so m, These AppArmor rules should be added automatically by virt-aa-helper when virtio-gpu + virgl are enabled for a guest. If we can assume a recent enough apparmor package, most of these rules can be replaced by using the dri-enumerate and dri-common abstractions instead (they allow a bit more broader access, nothing too scary though). Commit 98931187eefdec6f2dea5cb82ab6d23a3ffa6634 fixed the DAC part of the virtio-gpu + virgl access problem already; it could provide useful inspiration wrt. checking whether these AppArmor rules need to be added for a given guest.