On 12/19/23 01:33, Jim Fehlig wrote:
When splitting out the apparmor modular daemon profiles from the
libvirtd profile, the net_admin and sys_admin capabilities were
dropped from the virtxend profile. It was not known at the time
that these capabilities were needed for PCI passthrough. Without
the capabilities, the following messages are emitted from the audit
subsystem
audit: type=1400 audit(1702939277.946:63): apparmor="DENIED" \
operation="capable" class="cap" profile="virtxend" pid=3611
\
comm="rpc-virtxend" capability=21 capname="sys_admin"
audit: type=1400 audit(1702940304.818:63): apparmor="DENIED" \
operation="capable" class="cap" profile="virtxend" pid=3731
\
comm="rpc-virtxend" capability=12 capname="net_admin"
It appears sys_admin is needed to simply read from the PCI dev's
sysfs config file. The net_admin capability is needed when setting
the MAC address of an SR-IOV virtual function.
Signed-off-by: Jim Fehlig <jfehlig(a)suse.com>
---
src/security/apparmor/usr.sbin.virtxend.in | 2 ++
1 file changed, 2 insertions(+)
Reviewed-by: Michal Privoznik <mprivozn(a)redhat.com>
Michal