Re: [PATCH] apparmor: avoid denials on libpmem initialization

On Wed, 08 Apr 2020, Jamie Strandboge wrote: Answering myself after looking at the pmdk source code, fs_new() is calling fts_open() without FTS_NOCHDIR (and based on your '/' rule, starting in '/'), then calls fs_read() which calls fts_read() on the files it finds in /sys/bus/nd/devices (it makes sure to only look at symlinks, but that doesn't impact our rules). Writing some test code to simulate this and testing on /sys/bus/usb/devices (since I have usb devices here, but not nd and this dir is populated with symlinks as the libpmem code expects), I think the full rules you want are: # required by libpmem init to fts_open()/fts_read() the symlinks in # /sys/bus/nd/devices / r, /sys/bus/nd/devices/{,**/} r, Ideally this access would only be needed if using NFIT-ND devices, but as you mentioned, that is not possible at the point of the denial. I think these rules are fine to apply to the default VM policy since they are only a collection of directory reads (note the trailing '/'s in the second rule), which should have no impact guest isolation or host protections. -- Jamie Strandboge | http://www.canonical.com