On Thu, Apr 9, 2020 at 6:57 PM Jamie Strandboge <jamie@xxxxxxxxxxxxx> wrote: > > On Thu, 09 Apr 2020, Christian Ehrhardt wrote: > > > With libpmem support compiled into qemu it will trigger the following > > denials on every startup. > > apparmor="DENIED" operation="open" name="/" > > apparmor="DENIED" operation="open" name="/sys/bus/nd/devices/" > > > > This is due to [1] that tries to auto-detect if the platform supports > > auto flush for all region. > > > > Once we know all the paths that are potentially needed if this feature > > is really used we can add them conditionally in virt-aa-helper and labelling > > calls in case </pmem> is enabled. > > > > But until then the change here silences the denial warnings seen above. > > > > [1]: https://github.com/pmem/pmdk/blob/master/src/libpmem2/auto_flush_linux.c#L131 > > > > Bug: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1871354 > > > > Signed-off-by: Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx> > > --- > > src/security/apparmor/libvirt-qemu | 5 +++++ > > 1 file changed, 5 insertions(+) > > > > diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu > > index 80986aec61..1a4b226612 100644 > > --- a/src/security/apparmor/libvirt-qemu > > +++ b/src/security/apparmor/libvirt-qemu > > @@ -227,3 +227,8 @@ > > # required for sasl GSSAPI plugin > > /etc/gss/mech.d/ r, > > /etc/gss/mech.d/* r, > > + > > + # required by libpmem init to fts_open()/fts_read() the symlinks in > > + # /sys/bus/nd/devices > > + / r, # harmless on any lsb compliant system > > + /sys/bus/nd/devices/{,**/} r, > > LGTM. Thanks! Thanks, it also works fine in all my tests and there was no other negative feedback. Added your acked-by and pushing to the repo now ... > -- > Jamie Strandboge | http://www.canonical.com -- Christian Ehrhardt Staff Engineer, Ubuntu Server Canonical Ltd
