If SGX memory model is configured for domain then we need to allow QEMU access some additional files: 1) /dev/sgx_vepc needs to be RW 2) /dev/sgx_provision needs to be RO We already do this in SELinux driver but not in AppArmor. Resolves: https://gitlab.com/libvirt/libvirt/-/issues/751 Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com&gt; --- I've tested this successfully on my ubuntu machine. src/security/virt-aa-helper.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index 1626d5a89c..c255b64f35 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -1152,9 +1152,15 @@ get_files(vahControl * ctl) if (vah_add_file(&buf, mem->source.virtio_pmem.path, "rw") != 0) goto cleanup; break; + case VIR_DOMAIN_MEMORY_MODEL_SGX_EPC: + if (vah_add_file(&buf, DEV_SGX_VEPC, "rw") != 0 || + vah_add_file(&buf, DEV_SGX_PROVISION, "r") != 0) { + goto cleanup; + } + break; + case VIR_DOMAIN_MEMORY_MODEL_DIMM: case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_MEM: - case VIR_DOMAIN_MEMORY_MODEL_SGX_EPC: case VIR_DOMAIN_MEMORY_MODEL_NONE: case VIR_DOMAIN_MEMORY_MODEL_LAST: break; -- 2.45.3