On 10/14/25 17:28, Hector Cao wrote: > AMD-SEV virtual machines interact with the underlying > AMD-SEV technology through the character device /dev/sev. > Currently, the AppArmor profile does not include the rule > required to allow this access. > > There are two main approaches to address this limitation: > > 1) Add the required rule to the libvirt-qemu abstraction. > 2) Dynamically add the rule only when the VM is an AMD-SEV > guest. > > Since AMD-SEV guests represent a niche use case, it is more > appropriate to apply the rule dynamically rather than granting > access to all VMs through a global abstraction change. > > This commit implements option (2) by modifying the virt-aa-helper > binary to insert the necessary rule into the AppArmor dynamic > profile when the VM is identified as an AMD-SEV guest. > > The added entry in the generated libvirt-<uuid>.files file > will look like: > > ... > "/dev/sev" rw, > ... > > Signed-off-by: Hector Cao <[email protected]> > --- > src/security/virt-aa-helper.c | 15 +++++++++++++++ > 1 file changed, 15 insertions(+)
Reviewed-by: Michal Privoznik <[email protected]> Michal
