[apparmor] [PATCH v2] Add abstract profile for libnuma

John Johansen john.johansen at canonical.com
Wed Mar 19 15:49:10 UTC 2025 

On 2/26/25 13:00, Ryan Lee wrote:
> On Tue, Feb 25, 2025 at 3:21 PM Hector Cao <hector.cao at canonical.com> wrote:
>>
>> For executables dynamically linked to libnuma, the runtimer linker
>> invokes libnuma functions (num_init) that try to access
>> /sys/devices/system/node/ and if the application's apparmor
>> profile does not allow this access, this access will be denied
>> by apparmor with following error message:
>>
>>    apparmor="DENIED" operation="open" class="file"
>>    name="/sys/devices/system/node/" comm="qemu-bridge-hel"
>>    requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
>>
>> Here is the simplified call trace:
>>
>>    0 ... in ?? () from /lib/x86_64-linux-gnu/libnuma.so.1
>>    1 ... in call_init (...) at ./elf/dl-init.c:74
>>    2 ... in call_init (...) at ./elf/dl-init.c:120
>>    3 _dl_init (...) at ./elf/dl-init.c:121
>>    4 ... in _dl_start_user () from /lib64/ld-linux-x86-64.so.2
>>
>> This commit adds an abstract profile that applications that are
>> linked to libnuma can include in their apparmor profile.
>>
>> Signed-off-by: Hector Cao <hector.cao at canonical.com>
>> ---
>>   profiles/apparmor.d/abstractions/libnuma | 22 ++++++++++++++++++++++
>>   1 file changed, 22 insertions(+)
>>   create mode 100644 profiles/apparmor.d/abstractions/libnuma
>>
>> diff --git a/profiles/apparmor.d/abstractions/libnuma b/profiles/apparmor.d/abstractions/libnuma
>> new file mode 100644
>> index 000000000..e06e03299
>> --- /dev/null
>> +++ b/profiles/apparmor.d/abstractions/libnuma
>> @@ -0,0 +1,22 @@
>> +# vim:syntax=apparmor
>> +# ------------------------------------------------------------------
>> +#
>> +#    Copyright (C) 2025 Canonical Ltd.
>> +#
>> +#    This program is free software; you can redistribute it and/or
>> +#    modify it under the terms of version 2 of the GNU General Public
>> +#    License published by the Free Software Foundation.
>> +#
>> +# ------------------------------------------------------------------
>> +
>> +  abi <abi/4.0>,
>> +
>> +  # this abstract profile can be included by applications that are
>> +  # dynamically linked to libnuma
>> +  # libnuma defines the function num_init() as the .init function
>> +  # to be called by the runtime linker (ld) when libnuma is loaded
>> +
>> +  @{sys}/devices/system/cpu/node/ r,
>> +
>> +  # Include additions to the abstraction
>> +  include if exists <abstractions/libnuma.d>
>> --
>> 2.45.2
>>
> 
> Reviewed-by: Ryan Lee <ryan.lee at canonical.com>
> 
Acked-by: John Johansen <john.johansen at canonical.com>

More information about the AppArmor mailing list