From nobody Tue Jun  9 21:00:44 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 38.145.34.151 as permitted sender) client-ip=38.145.34.151;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151
 as permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass(p=reject dis=none)  header.from=in.ibm.com
ARC-Seal: i=1; a=rsa-sha256; t=1777651778; cv=none;
	d=zohomail.com; s=zohoarc;
	b=CPjIjEV5FMi3gLL1exakEyRHj+SiwUMy2LmkUdti/8cW+xQbY+BjiPlg9Ddmo+5LAXgoSh+3zk+BBwraBs/AQaguFKA3TmY9LSiYXNfVVJme//S4AQN5BhwRLHL6AaKVvl+BqU/cxSlqu0fJIsObPAX2Mcr4JXkYryskng6S7CQ=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1777651778;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=BvfGHLyYrsuy4kusoTpbHbB4jdloj4ZRK6g/2VbiFD4=;
	b=RYbm2ncWFq26v6zwjWlfD/ZItL0ZMn+YP16Rul2ZnGMIo6iA/9vfcvozSJzgx9EGCHO0vXb1p92oArxvcHimsDZoLqCCYq0HTs5ad0Ip/9dHHA4amquvuJ8X2FFesp8Cw7uEdbjHbSZFxG2D4Yv+AzNrs8Qd0PmwWEebpVJ60U8=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151
 as permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass header.from=<pushkaraj.patil@in.ibm.com> (p=reject dis=none)
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [38.145.34.151]) by
 mx.zohomail.com
	with SMTPS id 1777651778646366.3011694290469;
 Fri, 1 May 2026 09:09:38 -0700 (PDT)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id E7B11417E7; Fri,  1 May 2026 12:09:36 -0400 (EDT)
Received: from [172.19.199.9] (unknown [10.16.107.18])
	by lists.libvirt.org (Postfix) with ESMTP id 8A79741943;
	Fri,  1 May 2026 12:08:42 -0400 (EDT)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 43A463F363; Fri,  1 May 2026 12:08:33 -0400 (EDT)
Received: from mx0b-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com
 [148.163.158.5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest
 SHA256)
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id 410023F2F2
	for <devel@lists.libvirt.org>; Fri,  1 May 2026 12:08:31 -0400 (EDT)
Received: from pps.filterd (m0360072.ppops.net [127.0.0.1])
	by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id
 64129FVG2878694;
	Fri, 1 May 2026 16:08:30 GMT
Received: from ppma13.dal12v.mail.ibm.com
 (dd.9e.1632.ip4.static.sl-reverse.com [50.22.158.221])
	by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4drn8vuaed-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Fri, 01 May 2026 16:08:30 +0000 (GMT)
Received: from pps.filterd (ppma13.dal12v.mail.ibm.com [127.0.0.1])
	by ppma13.dal12v.mail.ibm.com (8.18.1.7/8.18.1.7) with ESMTP id
 641FrsP2001206;
	Fri, 1 May 2026 16:08:29 GMT
Received: from smtprelay01.fra02v.mail.ibm.com ([9.218.2.227])
	by ppma13.dal12v.mail.ibm.com (PPS) with ESMTPS id 4dsa5gqxv6-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Fri, 01 May 2026 16:08:29 +0000 (GMT)
Received: from smtpav05.fra02v.mail.ibm.com (smtpav05.fra02v.mail.ibm.com
 [10.20.54.104])
	by smtprelay01.fra02v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id
 641G8PJB59900280
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
	Fri, 1 May 2026 16:08:25 GMT
Received: from smtpav05.fra02v.mail.ibm.com (unknown [127.0.0.1])
	by IMSVA (Postfix) with ESMTP id AEA2220043;
	Fri,  1 May 2026 16:08:25 +0000 (GMT)
Received: from smtpav05.fra02v.mail.ibm.com (unknown [127.0.0.1])
	by IMSVA (Postfix) with ESMTP id 98E4F20040;
	Fri,  1 May 2026 16:08:23 +0000 (GMT)
Received: from localhost.localdomain (unknown [9.208.125.187])
	by smtpav05.fra02v.mail.ibm.com (Postfix) with ESMTP;
	Fri,  1 May 2026 16:08:23 +0000 (GMT)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.3 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE
	autolearn=unavailable autolearn_force=no version=4.0.1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc
	:content-transfer-encoding:date:from:message-id:mime-version
	:subject:to; s=pp1; bh=BvfGHLyYrsuy4kusoTpbHbB4jdloj4ZRK6g/2VbiF
	D4=; b=Jgsv5SrJ9z+S4dXFtux4SbysvLECqN6Ywjox1LqF1+oq9qEd2Q+J25UyB
	0nwT1Z14RCpg+gCQ/BBGD0mCJwpC6oqnWHWvlKxLWkZFY9+0//Z2gTYNCEgj9x2r
	bYPUz8G9bwDeCj2gS4814mYgTnnewA8292rN7SwLu5OYyWelG5Y7erc0Gi3mSzvY
	igrIwfWsgsx7qiP/y7VCnODFE1hU1NaLrf6QlYDc2sAPSzVy3xzAtjmgHFXSF7NU
	NNhuTeosVUsERsVp+UK8pyJrQB5gS4xovK3OykmD7i09n8B2dh4tSoXro4MYUeUv
	BH2oeX+ro9g3QDV6P923PPPNlArNQ==
From: PUSHKARAJ PATIL <pushkaraj.patil@in.ibm.com>
To: devel@lists.libvirt.org
Subject: [PATCH] virt-aa-helper: Prevent spurious denials for AoE disks
Date: Fri,  1 May 2026 21:38:12 +0530
Message-ID: <20260501160812.46439-1-pushkaraj.patil@in.ibm.com>
X-Mailer: git-send-email 2.50.1
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-TM-AS-GCONF: 00
X-Authority-Analysis: v=2.4 cv=CIIamxrD c=1 sm=1 tr=0 ts=69f4cffe cx=c_pps
 a=AfN7/Ok6k8XGzOShvHwTGQ==:117 a=AfN7/Ok6k8XGzOShvHwTGQ==:17
 a=NGcC8JguVDcA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22
 a=RzCfie-kr_QcCd8fBx8p:22 a=20KFwNOVAAAA:8 a=VnNF1IyMAAAA:8
 a=QuRgaLh16Z9UmAzV9eYA:9
X-Proofpoint-ORIG-GUID: dLQy0A-PI23tLhQza_YVLXf_y3H8gC8O
X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNTAxMDE1NCBTYWx0ZWRfX5o+gUg1PWp/l
 Iv7Y0GZbcRlnOM9L7Lwinijp1yaOs7LMgcj/WbRc9z2kVFCBQk0j777KMeo78IsK9/FO8mHUw8C
 ee3nC3OJG1V0ptG0jTHtXc3UNV6eIlYyvS8fRR6zzMZY/OIxkiuOlYjqK/LG2IFTHABNYXviCyS
 OSPnRUR57rPfo2MGj68plPNkOhUYOwd+pMOi0OEAjrEPYDuZBkUu/y/VO/ICe6sZyqTF/r0GtEv
 XPDME4qREFDDwf223LWDK+kY21YiOWZzEJgan+TEVUYOo+miysRri5hKFODFgKNfiLUDmq81HZx
 deZW8sHaPswwUodryfnqnYKZyzEu6EnwgONUCgRDOxqKnyQG9itp7ThzWPlOC/eSiaprtOVBe3c
 LE1dTa5PyLer4zd1xy6Zcj5AfxBE5dyogidMUNVIzGI3FZVLosf/CG+vD1MWapM0j/+OMke8cJ8
 LBkEKEkJIdyEohclBtQ==
X-Proofpoint-GUID: dLQy0A-PI23tLhQza_YVLXf_y3H8gC8O
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49
 definitions=2026-05-01_04,2026-04-30_02,2025-10-01_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
 spamscore=0 phishscore=0 malwarescore=0 suspectscore=0 adultscore=0
 impostorscore=0 lowpriorityscore=0 clxscore=1011 bulkscore=0
 priorityscore=1501 classifier=typeunknown authscore=0 authtc= authcc=
 route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2604200000
 definitions=main-2605010154
Message-ID-Hash: UBYFVXCDWWA5DKAMBWT7G4NSVMPEWYCY
X-Message-ID-Hash: UBYFVXCDWWA5DKAMBWT7G4NSVMPEWYCY
X-MailFrom: pushkaraj.patil@in.ibm.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-devel.lists.libvirt.org-0; emergency;
 member-moderation; nonmember-moderation; administrivia; implicit-dest;
 max-recipients; max-size; news-moderation; no-subject; digests;
 suspicious-header
CC: PUSHKARAJ PATIL <pushkaraj.patil@in.ibm.com>,
 Peter Krempa <pkrempa@redhat.com>
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/UBYFVXCDWWA5DKAMBWT7G4NSVMPEWYCY/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Owner: <mailto:devel-owner@lists.libvirt.org>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
X-ZohoMail-DKIM: pass (identity @ibm.com)
X-ZM-MESSAGEID: 1777651781764158500
Content-Type: text/plain; charset="utf-8"

virt-aa-helper calls virStorageSourceGetMetadata before adding a disk
path to a domain's apparmor profile. This probes the device and may
trigger an AppArmor denial when the disk is an AoE device under
/dev/etherd/.

The return value of virStorageSourceGetMetadata is not checked, so the
denial has no functional impact but results in noisy dmesg logs.

Explicitly deny read access to /dev/etherd/e*.* in the virt-aa-helper profi=
le to
avoid these spurious denials.

Co-Authored-By: Peter Krempa <pkrempa@redhat.com>
Signed-off-by: PUSHKARAJ PATIL <pushkaraj.patil@in.ibm.com>
---
 src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in b/src/=
security/apparmor/usr.lib.libvirt.virt-aa-helper.in
index e209a8bff7..1f1b80b9f9 100644
--- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
+++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
@@ -38,6 +38,7 @@ profile virt-aa-helper @libexecdir@/virt-aa-helper {
   deny /dev/dm-* r,
   deny /dev/drbd[0-9]* r,
   deny /dev/dasd* r,
+  deny /dev/etherd/e*.* r,
   deny /dev/nvme* r,
   deny /dev/zd[0-9]* r,
   deny /dev/mapper/ r,
--=20
2.50.1 (Apple Git-155)