Use the full list as breakpoints yoou can easily get from source like $ tail -n 60 src/security/security_apparmor.c | awk '/ = App/ {gsub(",",""); printf("b %s\n", $3);}'
But the only hit we get is the FD call as expected: Thread 2 "libvirtd" hit Breakpoint 31, AppArmorSetFDLabel (mgr=0x7f6e3c00b0a0, def=0x7f6e3c0bbca0, fd=21) at ../../../src/security/security_apparmor.c:1139 We don't know really that we are getting a vhost-net at this point. We get the FD that we pass like: fd=21 map that to /proc/self/fd/21 and finally resolve that to /dev/net/tun That is all we get, afterwards no more labelling calls. I think the assumption "if one is adding /dev/net/tun he might use vhost so also add /dev/vhost-net" is awkward. I don't see other good places to catch that dynamic, but then the solution might be quite different. It was added by [1] quite a while back, but I'd like to get in touch with security if /dev/vhost-net is still considered dangerous, maybe things are more mature and we can allow it in general now? I'll send a request now, but I also will see them next week so I can discuss it there in case there is no reply. [1]: https://libvirt.org/git/?p=libvirt.git;a=commit;h=c7abe7448c746cf0e3a6b7fab80e083afba5d5ae ** Changed in: libvirt (Ubuntu) Status: Confirmed => Triaged -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1815910 Title: Apparmor blocks access to /dev/vhost-net To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1815910/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs