[apparmor] [PATCH] Add abstract profile for libnuma

Hector Cao hector.cao at canonical.com
Tue Feb 25 23:21:54 UTC 2025 

Got it, thanks

On Wed, Feb 26, 2025 at 12:07 AM Ryan Lee <ryan.lee at canonical.com> wrote:

> On Tue, Feb 25, 2025 at 1:06 AM Hector Cao <hector.cao at canonical.com>
> wrote:
> >
> > For executables dynamically linked to libnuma, the runtimer linker
> > invokes libnuma functions (num_init) that try to access
> > /sys/devices/system/node/ and if the application's apparmor
> > profile does not allow this access, this access will be denied
> > by apparmor with following error message:
> >
> >   apparmor="DENIED" operation="open" class="file"
> >   name="/sys/devices/system/node/" comm="qemu-bridge-hel"
> >   requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
> >
> > Here is the simplified call trace:
> >
> >   0 ... in ?? () from /lib/x86_64-linux-gnu/libnuma.so.1
> >   1 ... in call_init (...) at ./elf/dl-init.c:74
> >   2 ... in call_init (...) at ./elf/dl-init.c:120
> >   3 _dl_init (...) at ./elf/dl-init.c:121
> >   4 ... in _dl_start_user () from /lib64/ld-linux-x86-64.so.2
> >
> > This commit adds an abstract profile that applications that are
> > linked to libnuma can include in their apparmor profile.
> >
> > Signed-off-by: Hector Cao <hector.cao at canonical.com>
> > ---
> >  profiles/apparmor.d/abstractions/libnuma | 19 +++++++++++++++++++
> >  1 file changed, 19 insertions(+)
> >  create mode 100644 profiles/apparmor.d/abstractions/libnuma
> >
> > diff --git a/profiles/apparmor.d/abstractions/libnuma
> b/profiles/apparmor.d/abstractions/libnuma
> > new file mode 100644
> > index 000000000..9126294c4
> > --- /dev/null
> > +++ b/profiles/apparmor.d/abstractions/libnuma
> > @@ -0,0 +1,19 @@
> > +# vim:syntax=apparmor
> > +# ------------------------------------------------------------------
> > +#
> > +#    Copyright (C) 2025 Canonical Ltd.
> > +#
> > +#    This program is free software; you can redistribute it and/or
> > +#    modify it under the terms of version 2 of the GNU General Public
> > +#    License published by the Free Software Foundation.
> > +#
> > +# ------------------------------------------------------------------
> > +
> > +  abi <abi/4.0>,
> > +
> > +  # this abstract profile can be included by applications that are
> > +  # dynamically linked to libnuma
> > +  # libnuma defines the function num_init() as the .init function
> > +  # to be called by the runtime linker (ld) when libnuma is loaded
> > +
> > +  @{sys}/devices/system/cpu/node/ r,
>
> To allow local additions to the abstraction, please add "include if
> exists <abstractions/libnuma.d>" to the end of the abstraction. You
> can see examples of such include lines in e.g. the upstream
> abstractions/nameservice.
>
> > --
> > 2.45.2
> >
> >
>


-- 
Hector CAO
Software Engineer – Partner Engineering Team
hector.cao at canonical.com
https://launc <https://launchpad.net/~hectorcao>hpad.net/~hectorcao
<https://launchpad.net/~hectorcao>

<https://launchpad.net/~hectorcao>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20250226/7c10a570/attachment.html>

More information about the AppArmor mailing list