[v1] virt-aa-helper: Prevent spurious denials for AoE disks

[PATCH] virt-aa-helper: Prevent spurious denials for AoE disks

PUSHKARAJ PATIL posted 1 patch 1 week, 6 days ago

Diff against v1
Download mbox

Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/20260501160812.46439-1-pushkaraj.patil@in.ibm.com

src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in | 1 +
1 file changed, 1 insertion(+)

Expand all Fold all

[PATCH] virt-aa-helper: Prevent spurious denials for AoE disks

Posted by PUSHKARAJ PATIL 1 week, 6 days ago

virt-aa-helper calls virStorageSourceGetMetadata before adding a disk
path to a domain's apparmor profile. This probes the device and may
trigger an AppArmor denial when the disk is an AoE device under
/dev/etherd/.

The return value of virStorageSourceGetMetadata is not checked, so the
denial has no functional impact but results in noisy dmesg logs.

Explicitly deny read access to /dev/etherd/e*.* in the virt-aa-helper profile to
avoid these spurious denials.

Co-Authored-By: Peter Krempa <pkrempa@redhat.com>
Signed-off-by: PUSHKARAJ PATIL <pushkaraj.patil@in.ibm.com>
---
 src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
index e209a8bff7..1f1b80b9f9 100644
--- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
+++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
@@ -38,6 +38,7 @@ profile virt-aa-helper @libexecdir@/virt-aa-helper {
   deny /dev/dm-* r,
   deny /dev/drbd[0-9]* r,
   deny /dev/dasd* r,
+  deny /dev/etherd/e*.* r,
   deny /dev/nvme* r,
   deny /dev/zd[0-9]* r,
   deny /dev/mapper/ r,
-- 
2.50.1 (Apple Git-155)