virt-aa-helper calls virStorageSourceGetMetadata before adding a disk path to a domain's apparmor profile. This probes the device and may trigger an AppArmor denial when the disk is an AoE device under /dev/etherd/. The return value of virStorageSourceGetMetadata is not checked, so the denial has no functional impact but results in noisy dmesg logs. Explicitly deny read access to /dev/etherd/e*.* in the virt-aa-helper profile to avoid these spurious denials. Co-Authored-By: Peter Krempa <pkrempa@redhat.com> Signed-off-by: PUSHKARAJ PATIL <pushkaraj.patil@in.ibm.com> --- src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in | 1 + 1 file changed, 1 insertion(+) diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in index e209a8bff7..1f1b80b9f9 100644 --- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in +++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in @@ -38,6 +38,7 @@ profile virt-aa-helper @libexecdir@/virt-aa-helper { deny /dev/dm-* r, deny /dev/drbd[0-9]* r, deny /dev/dasd* r, + deny /dev/etherd/e*.* r, deny /dev/nvme* r, deny /dev/zd[0-9]* r, deny /dev/mapper/ r, -- 2.50.1 (Apple Git-155)