From 940c9b2f0b86e57a992b37381a09bfb23ba01836 Mon Sep 17 00:00:00 2001
From: Vasiliy Ulyanov <vulyanov@suse.de>
Date: Thu, 27 Oct 2022 18:52:24 +0200
Subject: [PATCH] node-labeller.sh: Consider AppArmor restrictions

Even though the virt-handler pod is privileged, on the systems with
AppArmor there might be a host profile which will be automatically
picked for the /usr/sbin/libvirtd binary. That may block the execution
of /usr/libexec/qemu-kvm. In such a case, try moving the qemu executable
to a location, which is more common for AppArmor-enabled Linux distros.

Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
---
 cmd/virt-launcher/node-labeller/node-labeller.sh | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/cmd/virt-launcher/node-labeller/node-labeller.sh b/cmd/virt-launcher/node-labeller/node-labeller.sh
index 73ea8e22bfe0..855c9065612c 100755
--- a/cmd/virt-launcher/node-labeller/node-labeller.sh
+++ b/cmd/virt-launcher/node-labeller/node-labeller.sh
@@ -21,6 +21,13 @@ fi
 
 libvirtd -d
 
+# If the below command fails, then probably we run under AppArmor restrictions
+# and the active profile denies exec of /usr/libexec/qemu-kvm for libvirtd. In
+# such case, move the binary to a more common location and try again.
+if ! virsh domcapabilities --machine q35 --arch x86_64 --virttype $VIRTTYPE > /dev/null; then
+    [ -f /usr/libexec/qemu-kvm ] && mv /usr/libexec/qemu-kvm /usr/bin/qemu-system-x86_64
+fi
+
 virsh domcapabilities --machine q35 --arch x86_64 --virttype $VIRTTYPE > /var/lib/kubevirt-node-labeller/virsh_domcapabilities.xml
 
 cp -r /usr/share/libvirt/cpu_map /var/lib/kubevirt-node-labeller