When trying to use the passt networking backend in Ubuntu, libvirt is unable to start the VM due to a signal 11 for the passt service. Disabling AppArmor fixes the problem, and the VM is able to start. Checking the journal, I am able to see that AppArmor denies actions for the passt command. How can this be fixed?
Steps to reproduce:
- Create VM: Using virt-install:
virt-install --name alpine_test_2 --osinfo alpinelinux3.21 --network passt --memory 1028 --vcpus 2 --disk size=5 --cdrom ~/Downloads/alpine-standard-3.22.1-x86_64.isoor with this network config:
<interface type="user">
<mac address="52:54:00:26:c8:fc"/>
<model type="virtio"/>
<backend type="passt"/>
<address type="pci" domain="0x0000" bus="0x01" slot="0x00" function="0x0"/>
</interface>
- The VM crashed with signal 11 in the passt command.
- Adding
/usr/bin/passt rmin/etc/apparmor.d/abstractions/libvirt-qemuto theprofile passtallows the VM to start, but the VM can't use the internet (no DHCP nor any network adapters).
Tested with the same results on Ubuntu LTS 24.04.3 (virt-manager + virt-install updated to 5.0.0) or Ubuntu 25.04.
AppArmor denied without added rule:
<clipped> kernel: audit: type=1400 audit(1756642420.102:204): apparmor="DENIED" operation="file_mmap" class="file" profile="libvirt-7cbd0b6d-3ec3-4fc4-8454-a2a0917c0fb9" name="/usr/bin/passt" pid=5161 comm="passt" requested_mask="rm" denied_mask="rm" fsuid=64055 ouid=0
AppArmor denied after added rule:
<clipped> kernel: audit: type=1400 audit(1756727415.400:289): apparmor="DENIED" operation="connect" class="file" profile="libvirt-38e23345-7d1a-4c5e-94cc-0df3463d865d" name="/run/libvirt/qemu/passt/1-alpine_test-net0.socket" pid=3335 comm="io-task-worker" requested_mask="wr" denied_mask="wr" fsuid=64055 ouid=64055