[libvirt] [PATCH 2/2] Fix apparmor profile to make vfio pci passthrough work

See lp#1276719 for the bug description. As virt-aa-helper doesn't know the VFIO groups to use for the guest, allow access to all /dev/vfio/[0-9]* and /dev/vfio/vfio files. --- examples/apparmor/libvirt-qemu | 5 +++++ examples/apparmor/usr.sbin.libvirtd | 3 +++ 2 files changed, 8 insertions(+) diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu index e1980b7..c3dfa57 100644 --- a/examples/apparmor/libvirt-qemu +++ b/examples/apparmor/libvirt-qemu @@ -110,6 +110,7 @@ /usr/bin/qemu-sparc32plus rmix, /usr/bin/qemu-sparc64 rmix, /usr/bin/qemu-x86_64 rmix, + /usr/lib/qemu/block-curl.so mr, # for save and resume /bin/dash rmix, @@ -122,6 +123,10 @@ /sys/bus/ r, /sys/class/ r, + # for vfio access + /dev/vfio/vfio rw, + /dev/vfio/[0-9]* rw, + /usr/{lib,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper, # child profile for bridge helper process profile qemu_bridge_helper { diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd index fd6def1..3011eff 100644 --- a/examples/apparmor/usr.sbin.libvirtd +++ b/examples/apparmor/usr.sbin.libvirtd @@ -25,6 +25,9 @@ capability fsetid, capability audit_write, + # Needed for vfio + capability sys_resource, + network inet stream, network inet dgram, network inet6 stream, -- 1.9.0