security: apparmor: Allow QEMU read /proc/sys/vm/max_map_count

[PATCH] security: apparmor: Allow QEMU read /proc/sys/vm/max_map_count

Posted by Michal Privoznik 3 months ago

In its commit v9.0.0-rc0~1^2 QEMU started to read
/proc/sys/vm/max_map_count file to set up coroutine limits better
(something about VMAs, mmap(), see the commit for more info).
Allow the file in apparmor profile.

Resolves: https://gitlab.com/libvirt/libvirt/-/issues/660
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---
 src/security/apparmor/libvirt-qemu.in | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/security/apparmor/libvirt-qemu.in b/src/security/apparmor/libvirt-qemu.in
index 8b92915281..8f17256554 100644
--- a/src/security/apparmor/libvirt-qemu.in
+++ b/src/security/apparmor/libvirt-qemu.in
@@ -34,6 +34,7 @@
   # only modify its comm value or those in its thread group.
   owner @{PROC}/@{pid}/task/@{tid}/comm rw,
   @{PROC}/sys/kernel/cap_last_cap r,
+  @{PROC}/sys/vm/max_map_count r,
   @{PROC}/sys/vm/overcommit_memory r,
   # detect hardware capabilities via qemu_getauxval
   owner @{PROC}/*/auxv r,
-- 
2.44.2

Re: [PATCH] security: apparmor: Allow QEMU read /proc/sys/vm/max_map_count

Posted by Peter Krempa 3 months ago

On Tue, Aug 20, 2024 at 12:16:20 +0200, Michal Privoznik wrote:
> In its commit v9.0.0-rc0~1^2 QEMU started to read
> /proc/sys/vm/max_map_count file to set up coroutine limits better
> (something about VMAs, mmap(), see the commit for more info).
> Allow the file in apparmor profile.
> 
> Resolves: https://gitlab.com/libvirt/libvirt/-/issues/660
> Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
> ---
>  src/security/apparmor/libvirt-qemu.in | 1 +
>  1 file changed, 1 insertion(+)

Reviewed-by: Peter Krempa <pkrempa@redhat.com>