This bit of the diff scared me: --- a/interfaces/builtin/microstack_support.go +++ b/interfaces/builtin/microstack_support.go @@ -215,6 +215,17 @@ unmount /run/netns/ovnmeta-*,
# Required by libvirtd to detect and utilise AMD SEV capabilities for AMD CPU's /dev/sev rw, + +# Required by OVS to initialize DPDK +# https://doc.dpdk.org/guides/linux_gsg/enable_func.html +@{PROC}/@{pids}/pagemap r, +capability ipc_lock, +# Allow anonymous files backed by huge pages. +# https://gitlab.com/apparmor/apparmor/-/issues/545 +# Note that this rule doesn't allow top level files and directories to be removed. +# At the same time, subpaths are expected to be on squashfs unless modified +# through layouts. +owner / rw, ` const microStackSupportConnectedPlugSecComp = ` Even though the comment tries to explain that this rule "does not allow top level files and directories to be removed". Why is that? In which context is this rule used that makes it "safe"? ** Bug watch added: gitlab.com/apparmor/apparmor/-/issues #545 https://gitlab.com/apparmor/apparmor/-/issues/545 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2124239 Title: [SRU] 2.72 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/2124239/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
