[PATCH] virt-aa-helper: Prevent spurious denials for AoE disks
virt-aa-helper calls virStorageSourceGetMetadata before adding a disk path to a domain's apparmor profile. This probes the device and may trigger an AppArmor denial when the disk is an AoE device under /dev/etherd/. The return value of virStorageSourceGetMetadata is not checked, so the denial has no functional impact but results in noisy dmesg logs. Allow read access to /dev/etherd/e*.* in the virt-aa-helper profile to avoid these spurious denials. Signed-off-by: PUSHKARAJ PATIL <pushkaraj.patil@in.ibm.com> --- src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in | 1 + 1 file changed, 1 insertion(+) diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in index e209a8bff7..80e9ef2b08 100644 --- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in +++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in @@ -73,6 +73,7 @@ profile virt-aa-helper @libexecdir@/virt-aa-helper { /**.vhd r, /**.[iI][sS][oO] r, /**/disk{,.*} r, + /dev/etherd/e*.* r, include if exists <local/usr.lib.libvirt.virt-aa-helper> } -- 2.50.1 (Apple Git-155)
Hi, just following up on this thread. wanted to check if there are any updates or feedback on the proposal. Happy to provide more details or test anything if needed. Thanks!
On Fri, Mar 13, 2026 at 22:49:57 +0530, PUSHKARAJ PATIL wrote:
virt-aa-helper calls virStorageSourceGetMetadata before adding a disk path to a domain's apparmor profile. This probes the device and may trigger an AppArmor denial when the disk is an AoE device under /dev/etherd/.
The return value of virStorageSourceGetMetadata is not checked, so the denial has no functional impact but results in noisy dmesg logs.
Allow read access to /dev/etherd/e*.* in the virt-aa-helper profile to avoid these spurious denials.
Signed-off-by: PUSHKARAJ PATIL <pushkaraj.patil@in.ibm.com> --- src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in | 1 + 1 file changed, 1 insertion(+)
diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in index e209a8bff7..80e9ef2b08 100644 --- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in +++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in @@ -73,6 +73,7 @@ profile virt-aa-helper @libexecdir@/virt-aa-helper { /**.vhd r, /**.[iI][sS][oO] r, /**/disk{,.*} r, + /dev/etherd/e*.* r,
I'm not an apparmor expert but for any other paths in /dev/ the rules used are e.g.: deny /dev/sd* r, Since you're claiming that it's just spamming logs, per apparmor manpage the above seems to 'deny without loggin'. Wouldn't that be reasonable here too?
participants (3)
-
Peter Krempa -
PUSHKARAJ PATIL -
pushkaraj.patil@in.ibm.com