[PATCH] apparmor: Allow access to /sys/devices/system/node/*/cpumap for libnuma

Thursday, 11 January 2024

A QEMU change (10218ae6d006f76410804cc4dc690085b3d008b5) introduced
some libnuma calls that require read access to
/sys/devices/system/node/*/cpumap, which currently is forbidden by the
standard apparmor profile.

This commit allows read-only access to the file specified above.

Closes #515

Signed-off-by: Sergio Durigan Junior <sergio.durigan(a)canonical.com&gt;
---
 src/security/apparmor/libvirt-qemu.in | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/security/apparmor/libvirt-qemu.in
b/src/security/apparmor/libvirt-qemu.in
index 53f45c3a28..f40f471891 100644
--- a/src/security/apparmor/libvirt-qemu.in
+++ b/src/security/apparmor/libvirt-qemu.in
@@ -252,6 +252,9 @@
   /sys/devices/system/node/node[0-9]*/meminfo r,
   /sys/module/vhost/parameters/max_mem_regions r,
 
+   # Access to libnuma
+   /sys/devices/system/node/*/cpumap r,
+
   # silence refusals to open lttng files (see LP: #1432644)
   deny /dev/shm/lttng-ust-wait-* r,
   deny /run/shm/lttng-ust-wait-* r,
-- 
2.34.1

    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

[PATCH] apparmor: Allow access to /sys/devices/system/node/*/cpumap for libnuma