[apparmor] Disable apparmor without restart
John Johansen
john.johansen at canonical.com
Mon Jan 3 04:49:05 UTC 2022
On 12/28/21 2:00 AM, Sina Kashipazha wrote:
> Hey there,
>
> I have two hosts in my setup, one of them uses AppArmor (h1), and another one doesn't have it (h2). I want to use virsh to live migrate my VMs from h1 to h2, but I'm not able to do that because the h2 host doesn't have the AppArmor policy.
>
> I was wondering, is it possible to edit the XML configuration file of the VM and disable AppArmor without restarting the VMs?
>
AFAIK no, but you can manually remove the apparmor protection on the VM by unloading the profiles.
sudo aa-teardown
will remove apparmor protections from the whole system.
if you want to be more selective you can just unload the the VMs profiles. Using apparmor_parser -R
> Some extra info:
>
> root at h1(apparmor enabled):~# virsh list
> Id Name State
> ----------------------------------------------------
> 7 some-VM running
>
> root at h1(apparmor enabled):~# virsh dumpxml 7 | grep apparmor
> <seclabel type='dynamic'model='apparmor'relabel='yes'
>
> root at h1(apparmor enabled):~# virsh capabilities | grep -A1 secmodel
> <secmodel>
> <model>apparmor</model>
> </secmodel>
> <secmodel>
> <model>dac</model>
> </secmodel>
> </host>
>
>
>
> root at h2(apparmor disabled):~# virsh capabilities | grep -A1 secmodel
> <secmodel>
> <model>none</model>
> </secmodel>
> <secmodel>
> <model>dac</model>
> </secmodel>
> </host>
>
>
>
>
> Kind regards,
> Sina
>
More information about the AppArmor
mailing list