From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 5F0D3C47DDC
	for <linux-mm@archiver.kernel.org>; Wed, 24 Jan 2024 16:20:01 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id ABC366B0078; Wed, 24 Jan 2024 11:20:00 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id A6A316B007B; Wed, 24 Jan 2024 11:20:00 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 959786B007D; Wed, 24 Jan 2024 11:20:00 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14])
	by kanga.kvack.org (Postfix) with ESMTP id 8799F6B0078
	for <linux-mm@kvack.org>; Wed, 24 Jan 2024 11:20:00 -0500 (EST)
Received: from smtpin23.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay02.hostedemail.com (Postfix) with ESMTP id 240FD120D3D
	for <linux-mm@kvack.org>; Wed, 24 Jan 2024 16:20:00 +0000 (UTC)
X-FDA: 81714716160.23.954CEEA
Received: from vulcan.kevinlocke.name (vulcan.kevinlocke.name [107.191.43.88])
	by imf25.hostedemail.com (Postfix) with ESMTP id 6B8E3A001D
	for <linux-mm@kvack.org>; Wed, 24 Jan 2024 16:19:58 +0000 (UTC)
Authentication-Results: imf25.hostedemail.com;
	dkim=none;
	dmarc=pass (policy=none) header.from=kevinlocke.name;
	spf=pass (imf25.hostedemail.com: domain of kevin@kevinlocke.name designates 107.191.43.88 as permitted sender) smtp.mailfrom=kevin@kevinlocke.name
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1706113198;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:content-transfer-encoding:in-reply-to:
	 references; bh=ZzUwFOqR8+psx1k9fqDaIkhnszhYWIrDLPAD594rUrk=;
	b=jZe3XTotAysYqD5GmDpouE44sejUOKpVwy2mk+Uw9322smsVXJZbWr0WwUUqM76gKKMahY
	709rM+AcOBSq6srytSpvsqaBDvs77OcVGr0Mo13hqMF5DO3zxrdZbofwhZurRuEkdKgevT
	YPMdbSdcgc/Vld5LxDR4pdiH3o2br00=
ARC-Authentication-Results: i=1;
	imf25.hostedemail.com;
	dkim=none;
	dmarc=pass (policy=none) header.from=kevinlocke.name;
	spf=pass (imf25.hostedemail.com: domain of kevin@kevinlocke.name designates 107.191.43.88 as permitted sender) smtp.mailfrom=kevin@kevinlocke.name
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1706113198; a=rsa-sha256;
	cv=none;
	b=JAPaEGwnvfdRou0L8iESRY6niUIOcGm05z/ICl9QbZovxUsjJfl7pY9Ocz6bOiS4ZcZf6P
	aectdgOXRzDOc95nki0bXEa7sag9w0jQOBhrRxZudcFlY9CpGhWI/xRI+o98ExTtJ1zV6L
	G29tmQ8GCl+BhtX/jAfblC593M6Prm4=
Received: from kevinolos.kevinlocke.name (071-015-195-251.res.spectrum.com [71.15.195.251])
	(Authenticated sender: kevin@kevinlocke.name)
	by vulcan.kevinlocke.name (Postfix) with ESMTPSA id 8873D41435DA;
	Wed, 24 Jan 2024 16:19:56 +0000 (UTC)
Received: by kevinolos.kevinlocke.name (Postfix, from userid 1000)
	id 1387213005B0; Wed, 24 Jan 2024 09:19:54 -0700 (MST)
Date: Wed, 24 Jan 2024 09:19:54 -0700
From: Kevin Locke <kevin@kevinlocke.name>
To: Linus Torvalds <torvalds@linux-foundation.org>,
	Josh Triplett <josh@joshtriplett.org>,
	Kees Cook <keescook@chromium.org>,
	Mateusz Guzik <mjguzik@gmail.com>,
	Al Viro <viro@zeniv.linux.org.uk>
Cc: linux-mm@kvack.org, linux-fsdevel@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: [6.8-rc1 Regression] Unable to exec apparmor_parser from
 virt-aa-helper
Message-ID: <ZbE4qn9_h14OqADK@kevinlocke.name>
Mail-Followup-To: Kevin Locke <kevin@kevinlocke.name>,
	Linus Torvalds <torvalds@linux-foundation.org>,
	Josh Triplett <josh@joshtriplett.org>,
	Kees Cook <keescook@chromium.org>,
	Mateusz Guzik <mjguzik@gmail.com>,
	Al Viro <viro@zeniv.linux.org.uk>, linux-mm@kvack.org,
	linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Rspam-User: 
X-Stat-Signature: etbbkhy8yunt6yhs8acqrhtkmkngny4u
X-Rspamd-Server: rspam07
X-Rspamd-Queue-Id: 6B8E3A001D
X-HE-Tag: 1706113198-831314
X-HE-Meta: U2FsdGVkX1/85NQUafrLYodNc0JtP8TqEsbrqPN+h3HyWKzY6nHLEKutUbhQ9sqFfYVTqAnE3jwWhtyubcyAY1V3AAXjr9DH7JOukhBf/lAHJC+3iqEAcvPeq6rFpR8OY++fBZhMgqFOa5NYtSgJY1NP3luGvnJA9EAy6q2wDoUEpJdZXRbZbdsVaMhPLAGBYZz+nsHYjb/VS82q23NIYN55X94qWhnJpuNm3Ls8ZGB/yi/caK275ENIM74Drw2tgwtDN2kD6OimuA9H3O8VHhhLyds302cKsruDqjafMQCmxoaZexffW3L//Ujzwc/YkMWOs+aEC8pXOZuWd83SgPwF/Vw32Ki1xr+fcEj8HJJ2WDQhfKbKzJIwHsDzIFPLfnRiUTKZzKHDR0sclMr+yvhDBiXZyggNE/395mjXKJkqAMBtlUg2gf9tIUGrc4Akiqhb6xDuK6q5QJ1xjc7v15ulTv7SYn5a3Dnt8xLV3AObGIqUs4JnlCnbiT5hMY/fea6IMv0Vyvw9WFKgZBvPXIJARlayoxQuvYkHohlko8oroI9xObVs7a4zgIlZ77GWAPpPm53GBKCr3DCx2M6bpnG+WeDFKZ5xi70REHPsc1fkL8G8rWHqDLEhgejbQMc2yRXH44EkgzqpCxEV7EL/0mIa2dxboB1GMAPyRUebyON/zXFZFUCKtThLYd4GYfkco9n4NZHzU7bfy9aDCUndNQNlactb3CQMxcDaizwcyTBTnDCHgp9hcTFNyYyfo54PVil4JH4BdfK2vfJ8yN515bTrEgw+OVJ4iCJukdHWO8YuaDc5vmDjm8txFfkkNcy47v69BfKyWLYTZshu8NHLbkWhsNDhBTR2or+08lRAGox4PkctovjHBJgYj7762zFsMgi7OqbOcmMcUQfJuhkGESyRMYGJzx8vkoYP7Ao5xpSRAJnHTJzChjoTW+iytQI6sHzSGBNyB32tr2rxxUZ
 JapjEAeG
 +4fDJsdgy4YDQ6fk+pY/Sk1O75Zi2T++ULh6HcOeXgxl2FbhuNBbUNMZs9vatSXNR4YHII6QuLqHMNTljFK6xHvB1k/uofXvolEKn9K48Posbfiy+4FSNn6N4heYK41/xhH8O1k9rlMbf13rzfhgKTI/W7USS2bA0G+8hWqt/3f07WckF/PAGFeGK32sk0LLj3M8ina03DbGuggMausAO/ffGIw==
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

Hello Linux developers,

Using AppArmor 3.0.12 and libvirt 10.0.0 (from Debian packages) with
Linux 6.8-rc1 (unpatched), I'm unable to start KVM domains due to
AppArmor errors. Everything works fine on Linux 6.7.  After attempting
to start a domain, syslog contains:

libvirtd[38705]: internal error: Child process (LIBVIRT_LOG_OUTPUTS=3:stderr /usr/lib/libvirt/virt-aa-helper -c -u libvirt-4fad83ef-4285-4cf5-953c-5c13d943c1fb) unexpected exit status 1: virt-aa-helper: error: apparmor_parser exited with error
libvirtd[38705]: internal error: cannot load AppArmor profile 'libvirt-4fad83ef-4285-4cf5-953c-5c13d943c1fb'

dmesg contains the additional message:

audit: type=1400 audit(1706112657.438:74): apparmor="DENIED" operation="open" class="file" profile="virt-aa-helper" name="/usr/sbin/apparmor_parser" pid=6333 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

The libvirt-$GUID file is not created in /etc/apparmor.d/libvirt and
apparmor_parser is not executed as far as I can tell.

I've bisected the regression to 978ffcbf00d82b03b79e64b5c8249589b50e7463.
Perhaps the change in this commit causes AppArmor to deny opening
/usr/sbin/apparmor_parser in preparation for exec?  For reference, 
/etc/apparmor.d/usr.lib.libvirt.virt-aa-helper contains:

  /{usr/,}sbin/apparmor_parser Ux,

I'd appreciate any help debugging the issue further.  Let me know if I
should take it up with the AppArmor or libvirt developers to better
understand the issue.

Thanks,
Kevin