If SGX memory model is configured for domain then we need to
allow QEMU access some additional files:

  1) /dev/sgx_vepc needs to be RW
  2) /dev/sgx_provision needs to be RO

We already do this in SELinux driver but not in AppArmor.

Resolves: https://gitlab.com/libvirt/libvirt/-/issues/751

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---

I've tested this successfully on my ubuntu machine.

 src/security/virt-aa-helper.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 1626d5a89c..c255b64f35 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -1152,9 +1152,15 @@ get_files(vahControl * ctl)
             if (vah_add_file(&buf, mem->source.virtio_pmem.path, "rw") != 0)
                 goto cleanup;
             break;
+        case VIR_DOMAIN_MEMORY_MODEL_SGX_EPC:
+            if (vah_add_file(&buf, DEV_SGX_VEPC, "rw") != 0 ||
+                vah_add_file(&buf, DEV_SGX_PROVISION, "r") != 0) {
+                goto cleanup;
+            }
+            break;
+
         case VIR_DOMAIN_MEMORY_MODEL_DIMM:
         case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_MEM:
-        case VIR_DOMAIN_MEMORY_MODEL_SGX_EPC:
         case VIR_DOMAIN_MEMORY_MODEL_NONE:
         case VIR_DOMAIN_MEMORY_MODEL_LAST:
             break;
-- 
2.45.3

On a Tuesday in 2025, Michal Privoznik wrote:
>If SGX memory model is configured for domain then we need to
>allow QEMU access some additional files:
>
>  1) /dev/sgx_vepc needs to be RW
>  2) /dev/sgx_provision needs to be RO
>
>We already do this in SELinux driver but not in AppArmor.
>
>Resolves: https://gitlab.com/libvirt/libvirt/-/issues/751
>
>Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
>---
>
>I've tested this successfully on my ubuntu machine.
>
> src/security/virt-aa-helper.c | 8 +++++++-
> 1 file changed, 7 insertions(+), 1 deletion(-)
>

Reviewed-by: Ján Tomko <jtomko@redhat.com>

Jano