On 10/14/25 17:28, Hector Cao wrote:
AMD-SEV virtual machines interact with the underlying AMD-SEV technology through the character device /dev/sev. Currently, the AppArmor profile does not include the rule required to allow this access.
There are two main approaches to address this limitation:
1) Add the required rule to the libvirt-qemu abstraction. 2) Dynamically add the rule only when the VM is an AMD-SEV guest.
Since AMD-SEV guests represent a niche use case, it is more appropriate to apply the rule dynamically rather than granting access to all VMs through a global abstraction change.
This commit implements option (2) by modifying the virt-aa-helper binary to insert the necessary rule into the AppArmor dynamic profile when the VM is identified as an AMD-SEV guest.
The added entry in the generated libvirt-<uuid>.files file will look like:
... "/dev/sev" rw, ...
Signed-off-by: Hector Cao <hector.cao@canonical.com> --- src/security/virt-aa-helper.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+)
Reviewed-by: Michal Privoznik <mprivozn@redhat.com> Michal