From 405f479d0e2905ff0ed3c53a55930e9640ad0769 Mon Sep 17 00:00:00 2001 From: Jim Fehlig Date: Mon, 18 Dec 2023 16:48:13 -0700 Subject: [PATCH] apparmor: Add capabilities for PCI passthrough to virtxend profile When splitting out the apparmor modular daemon profiles from the libvirtd profile, the net_admin and sys_admin capabilities were dropped from the virtxend profile. It was not known at the time that these capabilities were needed for PCI passthrough. Without the capabilities, the following messages are emitted from the audit subsystem audit: type=1400 audit(1702939277.946:63): apparmor="DENIED" \ operation="capable" class="cap" profile="virtxend" pid=3611 \ comm="rpc-virtxend" capability=21 capname="sys_admin" audit: type=1400 audit(1702940304.818:63): apparmor="DENIED" \ operation="capable" class="cap" profile="virtxend" pid=3731 \ comm="rpc-virtxend" capability=12 capname="net_admin" It appears sys_admin is needed to simply read from the PCI dev's sysfs config file. The net_admin capability is needed when setting the MAC address of an SR-IOV virtual function. Signed-off-by: Jim Fehlig Reviewed-by: Michal Privoznik --- src/security/apparmor/usr.sbin.virtxend.in | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/security/apparmor/usr.sbin.virtxend.in b/src/security/apparmor/usr.sbin.virtxend.in index 78a11305f5..77fedce352 100644 --- a/src/security/apparmor/usr.sbin.virtxend.in +++ b/src/security/apparmor/usr.sbin.virtxend.in @@ -5,8 +5,10 @@ profile virtxend @sbindir@/virtxend flags=(attach_disconnected) { #include capability kill, + capability net_admin, capability setgid, capability setuid, + capability sys_admin, capability sys_pacct, capability ipc_lock,