AMD-SEV virtual machines interact with the underlying AMD-SEV technology through the character device /dev/sev. Currently, the AppArmor profile does not include the rule required to allow this access. There are two main approaches to address this limitation: 1) Add the required rule to the libvirt-qemu abstraction. 2) Dynamically add the rule only when the VM is an AMD-SEV guest. Since AMD-SEV guests represent a niche use case, it is more appropriate to apply the rule dynamically rather than granting access to all VMs through a global abstraction change. This commit implements option (2) by modifying the virt-aa-helper binary to insert the necessary rule into the AppArmor dynamic profile when the VM is identified as an AMD-SEV guest. The added entry in the generated libvirt-<uuid>.files file will look like: ... "/dev/sev" rw, ... Signed-off-by: Hector Cao <hector.cao@canonical.com> --- src/security/virt-aa-helper.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index 8a297d4b54..de0a826063 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -1370,6 +1370,21 @@ get_files(vahControl * ctl) virBufferAddLit(&buf, " deny \"/var/lib/libvirt/.cache/\" w,\n"); } + /* AMD-SEV VM needs to read/write the character device /dev/sev */ + if (ctl->def->sec) { + switch (ctl->def->sec->sectype) { + case VIR_DOMAIN_LAUNCH_SECURITY_SEV: + case VIR_DOMAIN_LAUNCH_SECURITY_SEV_SNP: + virBufferAddLit(&buf, " \"/dev/sev\" rw,\n"); + break; + case VIR_DOMAIN_LAUNCH_SECURITY_PV: + case VIR_DOMAIN_LAUNCH_SECURITY_TDX: + case VIR_DOMAIN_LAUNCH_SECURITY_NONE: + case VIR_DOMAIN_LAUNCH_SECURITY_LAST: + break; + } + } + if (ctl->newfile && vah_add_file(&buf, ctl->newfile, "rwk") != 0) { return -1; -- 2.45.2