From: Christian Ehrhardt <[email protected]> Glibc in 2.36 and later will [1] access sysfs at /sys/devices/system/cpu/possible when usig sysconf for _SC_NPROCESSORS_CONF.
That will make a lot of different code, for example anything linked against libnuma, trigger this apparmor denial. apparmor="DENIED" operation="open" class="file" ... name="/sys/devices/system/cpu/possible" ... requested_mask="r" denied_mask="r" fsuid=0 ouid=0  This entry seems rather safe, and it follows others that are already in place. Instead of fixing each software individually this should go into the base profile as well. Initially reported via https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989073 Fixes: https://gitlab.com/apparmor/apparmor/-/issues/267 Signed-off-by: Christian Ehrhardt <[email protected]> --- profiles/apparmor.d/abstractions/base | 1 + 1 file changed, 1 insertion(+) diff --git a/profiles/apparmor.d/abstractions/base b/profiles/apparmor.d/abstractions/base index a03be4b07..81c50359e 100644 --- a/profiles/apparmor.d/abstractions/base +++ b/profiles/apparmor.d/abstractions/base @@ -101,6 +101,7 @@ @{PROC}/cpuinfo r, @{sys}/devices/system/cpu/ r, @{sys}/devices/system/cpu/online r, + @{sys}/devices/system/cpu/possible r, # glibc's *printf protections read the maps file @{PROC}/@{pid}/{maps,auxv,status} r, -- 2.38.1
