Re: [PATCH v2] apparmor: avoid denials on libpmem initialization

On Thu, 09 Apr 2020, Christian Ehrhardt wrote: > With libpmem support compiled into qemu it will trigger the following > denials on every startup. > apparmor="DENIED" operation="open" name="/" > apparmor="DENIED" operation="open" name="/sys/bus/nd/devices/" > > This is due to [1] that tries to auto-detect if the platform supports > auto flush for all region. > > Once we know all the paths that are potentially needed if this feature > is really used we can add them conditionally in virt-aa-helper and labelling > calls in case </pmem> is enabled. > > But until then the change here silences the denial warnings seen above. > > [1]: https://github.com/pmem/pmdk/blob/master/src/libpmem2/auto_flush_linux.c#... > > Bug: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1871354 > > Signed-off-by: Christian Ehrhardt <christian.ehrhardt(a)canonical.com&gt; > --- > src/security/apparmor/libvirt-qemu | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu > index 80986aec61..1a4b226612 100644 > --- a/src/security/apparmor/libvirt-qemu > +++ b/src/security/apparmor/libvirt-qemu > @@ -227,3 +227,8 @@ > # required for sasl GSSAPI plugin > /etc/gss/mech.d/ r, > /etc/gss/mech.d/* r, > + > + # required by libpmem init to fts_open()/fts_read() the symlinks in > + # /sys/bus/nd/devices > + / r, # harmless on any lsb compliant system > + /sys/bus/nd/devices/{,**/} r, LGTM. Thanks!

-- Jamie Strandboge | http://www.canonical.com