On Wed, 08 Apr 2020, Christian Ehrhardt wrote: > With libpmem support compiled into qemu it will trigger the following > denials on every startup. > apparmor="DENIED" operation="open" name="/" > apparmor="DENIED" operation="open" name="/sys/bus/nd/devices/" > > This is due to [1] that tries to auto-detect if the platform supports > auto flush for all region. > > Once we know all the paths that are potentially needed if this feature > is really used we can add them conditionally in virt-aa-helper and labelling > calls in case </pmem> is enabled. > > But until then the change here silences the denial warnings seen above. > > [1]: https://github.com/pmem/pmdk/blob/master/src/libpmem2/auto_flush_linux.c#L131 > > Bug: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1871354 > > Signed-off-by: Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx> > --- > src/security/apparmor/libvirt-qemu | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu > index 80986aec61..602f5eb587 100644 > --- a/src/security/apparmor/libvirt-qemu > +++ b/src/security/apparmor/libvirt-qemu > @@ -227,3 +227,8 @@ > # required for sasl GSSAPI plugin > /etc/gss/mech.d/ r, > /etc/gss/mech.d/* r, > + > + # scanned on libpmem init, but harmless on any lsb compliant system > + / r, I suggest adjusting the comment for clarity. Eg: # required by libpmem init / r, # harmless on any lsb compliant system /sys/bus/nd/devices/ r, ... The '/' read is indeed fine. > + /sys/bus/nd/devices/ r, This also is fine. > + /sys/bus/nd/devices/* r, Can you list what files libpem init is looking at? I'm a bit uncomfortable with the glob here and would rather not guess that today's and all future files in /sys/bus/nd/devices are safe for all qemu processes to read. -- Jamie Strandboge | http://www.canonical.com
