There are two ways to allow qemu to access something. 1. globally through the abstraction in /etc7apparmor.d/abstractions/libvirt-qemu That is for paths ALL qemu/geusts are supposed to use like /dev/kvm 2. per guest files generated based on the XML description in /etc/apparmor.d/libvirt/libvirt-<uuid>.files If you need paths like /sys/bus/pci/devices/0009:03:00.0/devspec to be accessible you should consider if you can derive the path from the XML and then let virt-aa-helper write a rule for it so that the guest can do so.
Finally later in the guest lifecycle further rules will be added via the labeling calls in the security code. E.g. if you add a device libvirt calls a set label function and this will add the new ruls (like for hotplug). For the latter see virAppArmorSecurityDriver in src/security/security_apparmor.c -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1680386 Title: virt-aa-helper to learn about VF devspec paths To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1680386/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
