On Fri, Mar 13, 2026 at 22:49:57 +0530, PUSHKARAJ PATIL wrote: > virt-aa-helper calls virStorageSourceGetMetadata before adding a disk > path to a domain's apparmor profile. This probes the device and may > trigger an AppArmor denial when the disk is an AoE device under > /dev/etherd/. > > The return value of virStorageSourceGetMetadata is not checked, so the > denial has no functional impact but results in noisy dmesg logs. > > Allow read access to /dev/etherd/e*.* in the virt-aa-helper profile to > avoid these spurious denials. > > Signed-off-by: PUSHKARAJ PATIL <[email protected]> > --- > src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in > b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in > index e209a8bff7..80e9ef2b08 100644 > --- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in > +++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in > @@ -73,6 +73,7 @@ profile virt-aa-helper @libexecdir@/virt-aa-helper { > /**.vhd r, > /**.[iI][sS][oO] r, > /**/disk{,.*} r, > + /dev/etherd/e*.* r,
I'm not an apparmor expert but for any other paths in /dev/ the rules used are e.g.: deny /dev/sd* r, Since you're claiming that it's just spamming logs, per apparmor manpage the above seems to 'deny without loggin'. Wouldn't that be reasonable here too?
