AMD-SEV virtual machines interact with the underlying
AMD-SEV technology through the character device /dev/sev.
Currently, the AppArmor profile does not include the rule
required to allow this access.

There are two main approaches to address this limitation:

1) Add the required rule to the libvirt-qemu abstraction.
2) Dynamically add the rule only when the VM is an AMD-SEV
   guest.

Since AMD-SEV guests represent a niche use case, it is more
appropriate to apply the rule dynamically rather than granting
access to all VMs through a global abstraction change.

This commit implements option (2) by modifying the virt-aa-helper
binary to insert the necessary rule into the AppArmor dynamic
profile when the VM is identified as an AMD-SEV guest.

The added entry in the generated libvirt-<uuid>.files file
will look like:

  ...
  "/dev/sev" rw,
  ...

Signed-off-by: Hector Cao <hector.cao@canonical.com>
---
 src/security/virt-aa-helper.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 8a297d4b54..de0a826063 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -1370,6 +1370,21 @@ get_files(vahControl * ctl)
         virBufferAddLit(&buf, "  deny \"/var/lib/libvirt/.cache/\" w,\n");
     }
 
+    /* AMD-SEV VM needs to read/write the character device /dev/sev */
+    if (ctl->def->sec) {
+        switch (ctl->def->sec->sectype) {
+        case VIR_DOMAIN_LAUNCH_SECURITY_SEV:
+        case VIR_DOMAIN_LAUNCH_SECURITY_SEV_SNP:
+            virBufferAddLit(&buf, "  \"/dev/sev\" rw,\n");
+            break;
+        case VIR_DOMAIN_LAUNCH_SECURITY_PV:
+        case VIR_DOMAIN_LAUNCH_SECURITY_TDX:
+        case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
+        case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
+            break;
+        }
+    }
+
     if (ctl->newfile &&
         vah_add_file(&buf, ctl->newfile, "rwk") != 0) {
         return -1;
-- 
2.45.2