[Impact]
* New GL handling code in qemu/libs triggers apparmor denials in
Jammy and later
* Libvirt already has code that does context aware "if gl is
enabled then allow things". The patch extends those by the
new paths it needs to access.
[Test Plan]
* In your preferred way get a guest of your choice that has UI support,
for example Ubuntu Desktop
* Set virtio graphics and Enable GL acceleration.
Essentially this comes down to those elements:
<video>
<model type='virtio'/>
<driver name='qemu'/>
</video>
<graphics type='spice'>
<listen type='socket'/>
<gl enable='yes'/>
</graphics)
There are various similar equally valid variants that you
can configure this.
You can do the same via the virt-manager Ui if you prefer that.
Without the fix that will trigger apparmor denials and not show the Display correctly.
[Where problems could occur]
* This is just "allowing more" to be read out of the apparmor isolation,
therefore I'd hope that regressions are not happening. The scenarios I
could think of are:
1. a user of Jammy set this up, wasn't really using GL and after the
fix suddenly gets unexpected UI output (unlikely, and not really a
problem)
2. The paths would be considered unsafe to be read by the guest and
thereby be a problem (that is not the case as far as we know so far)
3. There might be a missed issue in the changed code, breaking
virt-aa-helper (the nature of the change makes this unlikely, it
isn't too complex) and that would stop starting new guests.
They'd fail with an apparmor related message then.
None of the above seems realistic or critical to me, I think we are safe with this change.
[Other Info]
* n/a
--- original bug ---
Also filed upstream:
https://gitlab.com/libvirt/libvirt/-/merge_requests/151
I recently upgraded from Ubuntu 21.10 to 22.04. I have an existing VM with virtio video and gl-accelerated Spice display which previously worked.
After the upgrade, virt-manager and virt-viewer display a blank screen. In the qemu libvirt logs, I observe many repetitions of:
qemu_spice_gl_scanout_texture: failed to get fd for texture
dmesg contains these AppArmor errors:
[250001.100362] audit: type=1400 audit(1651958128.696:706): apparmor="DENIED" operation="open" profile="libvirt-98a090a8-2fdf-463c-959b-810e5bc88b0d" name="/sys/devices/pci0000:00/0000:00:02.0/revision" pid=132725 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
[250001.100367] audit: type=1400 audit(1651958128.696:707): apparmor="DENIED" operation="open" profile="libvirt-98a090a8-2fdf-463c-959b-810e5bc88b0d" name="/sys/devices/pci0000:00/0000:00:02.0/config" pid=132725 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
Modifying the AppArmor config for this VM to permit access to the `revision` and `config` sysfs paths fixed this issue for me. The VM display is visible and virgl is working. I was able to do so by adding the following line:
"/sys/devices/**/{uevent,vendor,device,subsystem_vendor,subsystem_device,config,revision}" r,
The Desktop team would like to see that one considered as high and see a SRU to 22.04 if possible once we have a fix available