Re: [PATCH] apparmor: Allow access to /sys/devices/system/node/*/cpumap for libnuma
On 1/11/24 14:17, Sergio Durigan Junior wrote:
A QEMU change (10218ae6d006f76410804cc4dc690085b3d008b5) introduced
some libnuma calls that require read access to
/sys/devices/system/node/*/cpumap, which currently is forbidden by the
standard apparmor profile.
This commit allows read-only access to the file specified above.
Closes #515
I always forget, but looking at the git log it seems the full URL is preferred. E.g.
Closes: https://gitlab.com/libvirt/libvirt/-/issues/515
Signed-off-by: Sergio Durigan Junior
<sergio.durigan(a)canonical.com>
Reviewed-by: Jim Fehlig <jfehlig(a)suse.com>
It's a bug fix so should be safe for freeze. I'll make the above change to the
commit message and push it.
Regards,
Jim
---
src/security/apparmor/libvirt-qemu.in | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/security/apparmor/libvirt-qemu.in
b/src/security/apparmor/libvirt-qemu.in
index 53f45c3a28..f40f471891 100644
--- a/src/security/apparmor/libvirt-qemu.in
+++ b/src/security/apparmor/libvirt-qemu.in
@@ -252,6 +252,9 @@
/sys/devices/system/node/node[0-9]*/meminfo r,
/sys/module/vhost/parameters/max_mem_regions r,
+ # Access to libnuma
+ /sys/devices/system/node/*/cpumap r,
+
# silence refusals to open lttng files (see LP: #1432644)
deny /dev/shm/lttng-ust-wait-* r,
deny /run/shm/lttng-ust-wait-* r,