From nobody Mon Mar 23 23:29:32 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass(p=reject dis=none)  header.from=in.ibm.com
ARC-Seal: i=1; a=rsa-sha256; t=1773422801; cv=none;
	d=zohomail.com; s=zohoarc;
	b=hZ9ReGReAU6/b433h+bAKJ+S83C0EJ4t4RLssIhO3X/wETGGDHyHhjrcKtar34XIGOYGJ6ogh2DsU+ZIxsbVj6LfdWXmK4p/2mu0i61nX9sYNnFLNDYAIoBYVw0+cf7gOUb9lixDlqRBDKd/srF/ck6waTRl8pno7FTB6VCrhFE=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773422801;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=9h7DRFmitDcSUq2YqJnAHAci73NZQYWFTZCihwPWH/o=;
	b=HUXGk+ufu6ZYCXaYlJQrG9kFzqdIQWnJsju+d/htvAXTb0/oJ2emjvOpbnWQpSsJ866B0k7u2wmGgv7icC9hW8aVbOIBMN0d+YktlcwkXtnK3J69AasAgKuCGXl0B1p+tqer6BJBO5TIORWOE8pc3hSj2xvW01UFWrsAlZGVQZ8=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass header.from=<pushkaraj.patil@in.ibm.com> (p=reject dis=none)
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1773422801073370.93844615833166;
 Fri, 13 Mar 2026 10:26:41 -0700 (PDT)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 455C4418AD; Fri, 13 Mar 2026 13:26:40 -0400 (EDT)
Received: from [172.19.199.12] (lists.libvirt.org [8.43.85.245])
	by lists.libvirt.org (Postfix) with ESMTP id 73A4941915;
	Fri, 13 Mar 2026 13:26:09 -0400 (EDT)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 61C583F8E4; Fri, 13 Mar 2026 13:20:14 -0400 (EDT)
Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com
 [148.163.156.1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest
 SHA256)
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id 766263F252
	for <devel@lists.libvirt.org>; Fri, 13 Mar 2026 13:20:12 -0400 (EDT)
Received: from pps.filterd (m0356517.ppops.net [127.0.0.1])
	by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id
 62DGwhBK2257749
	for <devel@lists.libvirt.org>; Fri, 13 Mar 2026 17:20:11 GMT
Received: from ppma22.wdc07v.mail.ibm.com
 (5c.69.3da9.ip4.static.sl-reverse.com [169.61.105.92])
	by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4cuh92gxpc-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT)
	for <devel@lists.libvirt.org>; Fri, 13 Mar 2026 17:20:11 +0000 (GMT)
Received: from pps.filterd (ppma22.wdc07v.mail.ibm.com [127.0.0.1])
	by ppma22.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id
 62DEj2AG014667
	for <devel@lists.libvirt.org>; Fri, 13 Mar 2026 17:20:10 GMT
Received: from smtprelay03.fra02v.mail.ibm.com ([9.218.2.224])
	by ppma22.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4cuha8fkmc-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT)
	for <devel@lists.libvirt.org>; Fri, 13 Mar 2026 17:20:10 +0000
Received: from smtpav06.fra02v.mail.ibm.com (smtpav06.fra02v.mail.ibm.com
 [10.20.54.105])
	by smtprelay03.fra02v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id
 62DHK64t46465372
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
	Fri, 13 Mar 2026 17:20:06 GMT
Received: from smtpav06.fra02v.mail.ibm.com (unknown [127.0.0.1])
	by IMSVA (Postfix) with ESMTP id 098702004B;
	Fri, 13 Mar 2026 17:20:06 +0000 (GMT)
Received: from smtpav06.fra02v.mail.ibm.com (unknown [127.0.0.1])
	by IMSVA (Postfix) with ESMTP id 5269A20040;
	Fri, 13 Mar 2026 17:20:04 +0000 (GMT)
Received: from localhost.localdomain (unknown [9.208.125.186])
	by smtpav06.fra02v.mail.ibm.com (Postfix) with ESMTP;
	Fri, 13 Mar 2026 17:20:03 +0000 (GMT)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,HELO_MISC_IP,
	MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,
	RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED,
	RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable
	autolearn_force=no version=4.0.1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc
	:content-transfer-encoding:date:from:message-id:mime-version
	:subject:to; s=pp1; bh=9h7DRFmitDcSUq2YqJnAHAci73NZQYWFTZCihwPWH
	/o=; b=PfDToJWLiyjWdBbxMmdYkwKaTT3B2RM/yFuu/wu1ZlKoVW3/O8VLzcOeC
	pvwp70az79IhXKIb5Z4mqicZphlEusV8W7JXfIHp7Q601EMKDyx45wxmUgKjenP6
	4BraLtoahZ9lIFxOMIqUBA6z7bw+FJKN9rcQavtssUJP8TEHO1XwTFkiIbpUKg+V
	EBkWrwtCC18oT8LcLDtWOw/OrfljeJmx2eoHpIXxeVG+ogLKvGdCh0bQjv0Ifbzp
	FCKs8ATvIia2iZCetqdjMKA7xtwQ6w/iuPDjVPu5775jRAAQadkH83zQfwC9wQ25
	WIEdU4Z6l4Z7rr63Tzy0jCfkK1ahQ==
From: PUSHKARAJ PATIL <pushkaraj.patil@in.ibm.com>
To: devel@lists.libvirt.org
Subject: [PATCH] virt-aa-helper: Prevent spurious denials for AoE disks
Date: Fri, 13 Mar 2026 22:49:57 +0530
Message-ID: <20260313171957.91793-1-pushkaraj.patil@in.ibm.com>
X-Mailer: git-send-email 2.50.1
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-TM-AS-GCONF: 00
X-Proofpoint-ORIG-GUID: ZQ-jCk8aXcY5b3aUJYl7jaccYUlEFwUN
X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwMzEzMDEzNiBTYWx0ZWRfX5dLn0/IOFk2Y
 BOEEHaeDCF6cVwSdGL00sT2V7ZDLeAUBss3bV8Bh5sIO8G79fmfZhsjhDqjpnngsCC57hwgdXeN
 SIDFsLFNtpr1OST9tFg5wYMjZ7wnUaAZKge7a6+MKCgClH/6E/WoLFbg5YniNbWV2aMe10zf7y/
 WMDVZzD2v89p/QjI85pkunTvGd2wASstmukD9Yw96a4zBB5FCZzD4VncgFHwy46F7MeGUimKJ/E
 4Myzy79JkmcEZHglkYwJIdWi4JwTI7Yfzjc9H5NvI02e5fjRQ7lOtJwvsLKlJl0Q8eYij2YDTcN
 Ri6OFt4WiieHf4JITl4PWxpq/T2dOi9HHCa2ofyNt5yoFfn3/3ToEG+MM6a2hz+OfboqCcGB9PZ
 6F9OriRXiYNBwR123x0XkdLvBVYnhpQ/ZNO5nefCVYHLRkxJapSBoN0ho3daQlm/9JoUFuXiRf9
 v7WedU4RRgvnDEyjQ0A==
X-Proofpoint-GUID: ZQ-jCk8aXcY5b3aUJYl7jaccYUlEFwUN
X-Authority-Analysis: v=2.4 cv=XNk9iAhE c=1 sm=1 tr=0 ts=69b4474b cx=c_pps
 a=5BHTudwdYE3Te8bg5FgnPg==:117 a=5BHTudwdYE3Te8bg5FgnPg==:17
 a=Yq5XynenixoA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22
 a=U7nrCbtTmkRpXpFmAIza:22 a=VnNF1IyMAAAA:8 a=QuRgaLh16Z9UmAzV9eYA:9
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49
 definitions=2026-03-13_03,2026-03-13_01,2025-10-01_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
 suspectscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 adultscore=0
 bulkscore=0 phishscore=0 priorityscore=1501 impostorscore=0 malwarescore=0
 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0
 reason=mlx scancount=1 engine=8.22.0-2603050001 definitions=main-2603130136
X-MailFrom: pushkaraj.patil@in.ibm.com
X-Mailman-Rule-Hits: nonmember-moderation
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-devel.lists.libvirt.org-0; emergency;
 member-moderation
Message-ID-Hash: FS46BCHVLQAI5XYRLO3ZMDWDW4Y46AZW
X-Message-ID-Hash: FS46BCHVLQAI5XYRLO3ZMDWDW4Y46AZW
X-Mailman-Approved-At: Fri, 13 Mar 2026 17:26:06 +0000
CC: PUSHKARAJ PATIL <pushkaraj.patil@in.ibm.com>
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/FS46BCHVLQAI5XYRLO3ZMDWDW4Y46AZW/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Owner: <mailto:devel-owner@lists.libvirt.org>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
X-ZohoMail-DKIM: pass (identity @ibm.com)
X-ZM-MESSAGEID: 1773422803520154100
Content-Type: text/plain; charset="utf-8"

virt-aa-helper calls virStorageSourceGetMetadata before adding a disk
path to a domain's apparmor profile. This probes the device and may
trigger an AppArmor denial when the disk is an AoE device under
/dev/etherd/.

The return value of virStorageSourceGetMetadata is not checked, so the
denial has no functional impact but results in noisy dmesg logs.

Allow read access to /dev/etherd/e*.* in the virt-aa-helper profile to
avoid these spurious denials.

Signed-off-by: PUSHKARAJ PATIL <pushkaraj.patil@in.ibm.com>
---
 src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in b/src/=
security/apparmor/usr.lib.libvirt.virt-aa-helper.in
index e209a8bff7..80e9ef2b08 100644
--- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
+++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
@@ -73,6 +73,7 @@ profile virt-aa-helper @libexecdir@/virt-aa-helper {
   /**.vhd r,
   /**.[iI][sS][oO] r,
   /**/disk{,.*} r,
+  /dev/etherd/e*.* r,
=20
   include if exists <local/usr.lib.libvirt.virt-aa-helper>
 }
--=20
2.50.1 (Apple Git-155)