This patch-series aims to address the bug reported in [1] and [2].

Bug description :
Some times libvirt fails to start a vm with the following error :
libvirt: error : unable to set AppArmor profile 'libvirt-b05b297f-952f-42d6-b04e-f9a13767db54' for '/usr/bin/kvm-spice': No such file or directory
This happens because file /etc/apparmor.d/libvirt/libvirt-<vm-uuid> has 0 size.
During the vm start-up virt-aa-helper tries to load the profile and because it is 0 it fails.
When file /etc/apparmor.d/libvirt/libvirt-<vm-uuid> is removed the vm can start without problems.

To address this issue this patch-series suggests the following.
On the vm start-up check if the profile has 0 size and if this is the case 
remove it and create it again.
To do so a new option (-P) is introduced and also create and remove profile
fuctionalities are placed into separate functions.

The first commit moves create and remove functionlites into functinos for later
reuse from different places.
The second commit adds a new option (-P) to remove the profile file.
The thid commit implements the actual fix (check if the profile has 0 size and if
so remove it and create it again).
The fourth patch adds a test for the above fix.


[1] https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1927519
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=890084

Ioanna Alifieraki (4):
  virt-aa-helper: Move create and remove profile into separate functions
  virt-aa-helper: Add new purge (-P) option
  virt-aa-helper: Purge profile if corrupted
  virt-aa-helper: test: add test for new option -P

 src/security/virt-aa-helper.c | 87 ++++++++++++++++++++++++++---------
 tests/meson.build             |  1 +
 tests/virt-aa-helper-test     | 29 ++++++++++++
 3 files changed, 96 insertions(+), 21 deletions(-)

-- 
2.17.1

On Thu, Oct 7, 2021 at 7:25 PM Ioanna Alifieraki
<ioanna-maria.alifieraki@canonical.com> wrote:
>
> This patch-series aims to address the bug reported in [1] and [2].
>
> Bug description :
> Some times libvirt fails to start a vm with the following error :
> libvirt: error : unable to set AppArmor profile 'libvirt-b05b297f-952f-42d6-b04e-f9a13767db54' for '/usr/bin/kvm-spice': No such file or directory
> This happens because file /etc/apparmor.d/libvirt/libvirt-<vm-uuid> has 0 size.
> During the vm start-up virt-aa-helper tries to load the profile and because it is 0 it fails.
> When file /etc/apparmor.d/libvirt/libvirt-<vm-uuid> is removed the vm can start without problems.
>
> To address this issue this patch-series suggests the following.
> On the vm start-up check if the profile has 0 size and if this is the case
> remove it and create it again.
> To do so a new option (-P) is introduced and also create and remove profile
> fuctionalities are placed into separate functions.
>
> The first commit moves create and remove functionlites into functinos for later
> reuse from different places.
> The second commit adds a new option (-P) to remove the profile file.
> The thid commit implements the actual fix (check if the profile has 0 size and if
> so remove it and create it again).
> The fourth patch adds a test for the above fix.

I'm generally +1 on the overall approach and wanted to thank you for
working on this.
It will fix a rare but real issue.

Jan had a few requests on 3/4 that all seemed reasonable suggestions,
will you submit a v2 addressing those?

> [1] https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1927519
> [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=890084
>
> Ioanna Alifieraki (4):
>   virt-aa-helper: Move create and remove profile into separate functions
>   virt-aa-helper: Add new purge (-P) option
>   virt-aa-helper: Purge profile if corrupted
>   virt-aa-helper: test: add test for new option -P
>
>  src/security/virt-aa-helper.c | 87 ++++++++++++++++++++++++++---------
>  tests/meson.build             |  1 +
>  tests/virt-aa-helper-test     | 29 ++++++++++++
>  3 files changed, 96 insertions(+), 21 deletions(-)
>
> --
> 2.17.1
>


--
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd