Re: [PATCH] apparmor: Add denied capabilities

On Mon, Jun 7, 2021 at 6:34 PM Jim Fehlig <jfehlig(a)suse.com&gt; wrote: > > The audit log contains the following denials from libvirtd > > apparmor="DENIED" operation="capable" profile="libvirtd" pid=6012 comm="daemon-init" capability=17 capname="sys_rawio" > apparmor="DENIED" operation="capable" profile="libvirtd" pid=6012 comm="rpc-worker" capability=39 capname="bpf" > apparmor="DENIED" operation="capable" profile="libvirtd" pid=6012 comm="rpc-worker" capability=38 capname="perfmon" > > Squelch the denials and allow the capabilities in the libvirtd > apparmor profile. > > Signed-off-by: Jim Fehlig <jfehlig(a)suse.com&gt; > --- > > I'm not really sure when these denials first started appearing, nor > have I noticed any problems they are causing. Likely I have not exercised > the affected functionality. > > src/security/apparmor/usr.sbin.libvirtd.in | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in > index bf4563e1e8..928782b709 100644 > --- a/src/security/apparmor/usr.sbin.libvirtd.in > +++ b/src/security/apparmor/usr.sbin.libvirtd.in > @@ -25,6 +25,9 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) { > capability fsetid, > capability audit_write, > capability ipc_lock, > + capability sys_rawio, > + capability bpf, > + capability perfmon, > > # Needed for vfio > capability sys_resource, > -- > 2.31.1 > > The patch LGTM, but the title is confusing. Maybe the following? "apparmor: Permit new capabilities required by libvirt"