On Fri, Mar 13, 2026 at 22:49:57 +0530, PUSHKARAJ PATIL wrote:
virt-aa-helper calls virStorageSourceGetMetadata before adding a disk path to a domain's apparmor profile. This probes the device and may trigger an AppArmor denial when the disk is an AoE device under /dev/etherd/.
The return value of virStorageSourceGetMetadata is not checked, so the denial has no functional impact but results in noisy dmesg logs.
Allow read access to /dev/etherd/e*.* in the virt-aa-helper profile to avoid these spurious denials.
Signed-off-by: PUSHKARAJ PATIL <pushkaraj.patil@in.ibm.com> --- src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in | 1 + 1 file changed, 1 insertion(+)
diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in index e209a8bff7..80e9ef2b08 100644 --- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in +++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in @@ -73,6 +73,7 @@ profile virt-aa-helper @libexecdir@/virt-aa-helper { /**.vhd r, /**.[iI][sS][oO] r, /**/disk{,.*} r, + /dev/etherd/e*.* r,
I'm not an apparmor expert but for any other paths in /dev/ the rules used are e.g.: deny /dev/sd* r, Since you're claiming that it's just spamming logs, per apparmor manpage the above seems to 'deny without loggin'. Wouldn't that be reasonable here too?