On 12/19/23 01:33, Jim Fehlig wrote: > When splitting out the apparmor modular daemon profiles from the > libvirtd profile, the net_admin and sys_admin capabilities were > dropped from the virtxend profile. It was not known at the time > that these capabilities were needed for PCI passthrough. Without > the capabilities, the following messages are emitted from the audit > subsystem > > audit: type=1400 audit(1702939277.946:63): apparmor="DENIED" \ > operation="capable" class="cap" profile="virtxend" pid=3611 \ > comm="rpc-virtxend" capability=21 capname="sys_admin" > audit: type=1400 audit(1702940304.818:63): apparmor="DENIED" \ > operation="capable" class="cap" profile="virtxend" pid=3731 \ > comm="rpc-virtxend" capability=12 capname="net_admin" > > It appears sys_admin is needed to simply read from the PCI dev's > sysfs config file. The net_admin capability is needed when setting > the MAC address of an SR-IOV virtual function. > > Signed-off-by: Jim Fehlig <jfehlig@xxxxxxxx> > --- > src/security/apparmor/usr.sbin.virtxend.in | 2 ++ > 1 file changed, 2 insertions(+) > Reviewed-by: Michal Privoznik <mprivozn@xxxxxxxxxx> Michal _______________________________________________ Devel mailing list -- devel@xxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxx
