[PATCH] virt-aa-helper: Prevent spurious denials for AoE disks
virt-aa-helper calls virStorageSourceGetMetadata before adding a disk path to a domain's apparmor profile. This probes the device and may trigger an AppArmor denial when the disk is an AoE device under /dev/etherd/. The return value of virStorageSourceGetMetadata is not checked, so the denial has no functional impact but results in noisy dmesg logs. Explicitly deny read access to /dev/etherd/e*.* in the virt-aa-helper profile to avoid these spurious denials. Co-Authored-By: Peter Krempa <pkrempa@redhat.com> Signed-off-by: PUSHKARAJ PATIL <pushkaraj.patil@in.ibm.com> --- src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in | 1 + 1 file changed, 1 insertion(+) diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in index e209a8bff7..1f1b80b9f9 100644 --- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in +++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in @@ -38,6 +38,7 @@ profile virt-aa-helper @libexecdir@/virt-aa-helper { deny /dev/dm-* r, deny /dev/drbd[0-9]* r, deny /dev/dasd* r, + deny /dev/etherd/e*.* r, deny /dev/nvme* r, deny /dev/zd[0-9]* r, deny /dev/mapper/ r, -- 2.50.1 (Apple Git-155)
Hi, just following up on this thread. wanted to check if there are any updates or feedback on the proposal. Happy to provide more details or test anything if needed. Thanks!
On 5/1/26 18:08, PUSHKARAJ PATIL wrote:
virt-aa-helper calls virStorageSourceGetMetadata before adding a disk path to a domain's apparmor profile. This probes the device and may trigger an AppArmor denial when the disk is an AoE device under /dev/etherd/.
The return value of virStorageSourceGetMetadata is not checked, so the denial has no functional impact but results in noisy dmesg logs.
Explicitly deny read access to /dev/etherd/e*.* in the virt-aa-helper profile to avoid these spurious denials.
Co-Authored-By: Peter Krempa <pkrempa@redhat.com> Signed-off-by: PUSHKARAJ PATIL <pushkaraj.patil@in.ibm.com> --- src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in | 1 + 1 file changed, 1 insertion(+)
diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in index e209a8bff7..1f1b80b9f9 100644 --- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in +++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in @@ -38,6 +38,7 @@ profile virt-aa-helper @libexecdir@/virt-aa-helper { deny /dev/dm-* r, deny /dev/drbd[0-9]* r, deny /dev/dasd* r, + deny /dev/etherd/e*.* r, deny /dev/nvme* r, deny /dev/zd[0-9]* r, deny /dev/mapper/ r,
Reviewed-by: Michal Privoznik <mprivozn@redhat.com> and merged. Congratulations on your fist libvirt contribution! Michal
participants (3)
-
Michal Prívozník -
PUSHKARAJ PATIL -
pushkaraj.patil@in.ibm.com