virt-aa-helper calls virStorageSourceGetMetadata before adding a disk path to a domain's apparmor profile. This probes the device and may trigger an AppArmor denial when the disk is an AoE device under /dev/etherd/.
The return value of virStorageSourceGetMetadata is not checked, so the denial has no functional impact but results in noisy dmesg logs. Allow read access to /dev/etherd/e*.* in the virt-aa-helper profile to avoid these spurious denials. Signed-off-by: PUSHKARAJ PATIL <[email protected]> --- src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in | 1 + 1 file changed, 1 insertion(+) diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in index e209a8bff7..80e9ef2b08 100644 --- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in +++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in @@ -73,6 +73,7 @@ profile virt-aa-helper @libexecdir@/virt-aa-helper { /**.vhd r, /**.[iI][sS][oO] r, /**/disk{,.*} r, + /dev/etherd/e*.* r, include if exists <local/usr.lib.libvirt.virt-aa-helper> } -- 2.50.1 (Apple Git-155)
