For executables dynamically linked to libnuma, the runtimer linker
invokes libnuma functions (num_init) that try to access
/sys/devices/system/node/ and if the application's apparmor
profile does not allow this access, this access will be denied
by apparmor with following error message:
apparmor="DENIED" operation="open" class="file"
name="/sys/devices/system/node/" comm="qemu-bridge-hel"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Here is the simplified call trace:
0 ... in ?? () from /lib/x86_64-linux-gnu/libnuma.so.1
1 ... in call_init (...) at ./elf/dl-init.c:74
2 ... in call_init (...) at ./elf/dl-init.c:120
3 _dl_init (...) at ./elf/dl-init.c:121
4 ... in _dl_start_user () from /lib64/ld-linux-x86-64.so.2
Allow access to this sysfs folder so that we do not have to
specify this permission for every executable linked to libnuma
Changes in v2:
- Fix typo: add missing ending '/' character to the path
Signed-off-by: Hector Cao <hector....@canonical.com>
---
profiles/apparmor.d/abstractions/base | 2 ++
1 file changed, 2 insertions(+)
diff --git a/profiles/apparmor.d/abstractions/base
b/profiles/apparmor.d/abstractions/base
index bf3f3184e..52cbab920 100644
--- a/profiles/apparmor.d/abstractions/base
+++ b/profiles/apparmor.d/abstractions/base
@@ -108,6 +108,8 @@
@{sys}/devices/system/cpu/ r,
@{sys}/devices/system/cpu/online r,
@{sys}/devices/system/cpu/possible r,
+ # runtime initialization for binaries linked to libnuma
+ @{sys}/devices/system/node/ r,
# transparent hugepage support
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
--
2.45.2
