diff options
| author | Stefano Brivio <sbrivio@redhat.com> | 2025-02-05 17:21:59 +0100 |
|---|---|---|
| committer | Stefano Brivio <sbrivio@redhat.com> | 2025-02-06 09:43:09 +0100 |
| commit | f66769c2de82550ac1ee2548960c09a4b052341f (patch) | |
| tree | 4a728d064bf6d60bdc9d88097330a6c95f56c4a1 /vu_common.c | |
| parent | 593be3277429f0a2c06f6bebab4f20736c96abc8 (diff) | |
| download | passt-f66769c2de82550ac1ee2548960c09a4b052341f.tar passt-f66769c2de82550ac1ee2548960c09a4b052341f.tar.gz passt-f66769c2de82550ac1ee2548960c09a4b052341f.tar.bz2 passt-f66769c2de82550ac1ee2548960c09a4b052341f.tar.lz passt-f66769c2de82550ac1ee2548960c09a4b052341f.tar.xz passt-f66769c2de82550ac1ee2548960c09a4b052341f.tar.zst passt-f66769c2de82550ac1ee2548960c09a4b052341f.zip | |
apparmor: Workaround for unconfined libvirtd when triggered by unprivileged user
If libvirtd is triggered by an unprivileged user, the virt-aa-helper
mechanism doesn't work, because per-VM profiles can't be instantiated,
and as a result libvirtd runs unconfined.
This means passt can't start, because the passt subprofile from
libvirt's profile is not loaded either.
Example:
$ virsh start alpine
error: Failed to start domain 'alpine'
error: internal error: Child process (passt --one-off --socket /run/user/1000/libvirt/qemu/run/passt/1-alpine-net0.socket --pid /run/user/1000/libvirt/qemu/run/passt/1-alpine-net0-passt.pid --tcp-ports 40922:2) unexpected fatal signal 11
Add an annoying workaround for the moment being. Much better than
encouraging users to start guests as root, or to disable AppArmor
altogether.
Reported-by: Prafulla Giri <prafulla.giri@protonmail.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Diffstat (limited to 'vu_common.c')
0 files changed, 0 insertions, 0 deletions