Re: [apparmor] [PATCH v2] Allow access to sys devices nodes for libnuma

Thu, 13 Feb 2025 13:10:52 -0800 

On Thu, Feb 13, 2025 at 7:57 PM Ryan Lee <ryan....@canonical.com> wrote:

> On Thu, Feb 13, 2025 at 7:58 AM Hector Cao <hector....@canonical.com>
> wrote:
> >
> > For executables dynamically linked to libnuma, the runtimer linker
> > invokes libnuma functions (num_init) that try to access
> > /sys/devices/system/node/ and if the application's apparmor
> > profile does not allow this access, this access will be denied
> > by apparmor with following error message:
> >
> >   apparmor="DENIED" operation="open" class="file"
> >   name="/sys/devices/system/node/" comm="qemu-bridge-hel"
> >   requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
> >
> > Here is the simplified call trace:
> >
> >   0 ... in ?? () from /lib/x86_64-linux-gnu/libnuma.so.1
> >   1 ... in call_init (...) at ./elf/dl-init.c:74
> >   2 ... in call_init (...) at ./elf/dl-init.c:120
> >   3 _dl_init (...) at ./elf/dl-init.c:121
> >   4 ... in _dl_start_user () from /lib64/ld-linux-x86-64.so.2
> >
> > Allow access to this sysfs folder so that we do not have to
> > specify this permission for every executable linked to libnuma
>
> IMO this should go into a dedicated numa abstraction and not be added
> to abstractions/base.
>
>
I agree, I have also considered this option but finally went for putting
the permission
in the base abstraction, but, I think it is also appropriate to have a
dedicated abstraction for
this use case of libnuma.

If possible, I would like to have an +1 from another reviewer for the
proposed approach done by Ryan
before modifying the patch.


> >
> > Changes in v2:
> >   - Fix typo: add missing ending '/' character to the path
> >
> > Signed-off-by: Hector Cao <hector....@canonical.com>
> > ---
> >  profiles/apparmor.d/abstractions/base | 2 ++
> >  1 file changed, 2 insertions(+)
> >
> > diff --git a/profiles/apparmor.d/abstractions/base
> b/profiles/apparmor.d/abstractions/base
> > index bf3f3184e..52cbab920 100644
> > --- a/profiles/apparmor.d/abstractions/base
> > +++ b/profiles/apparmor.d/abstractions/base
> > @@ -108,6 +108,8 @@
> >    @{sys}/devices/system/cpu/       r,
> >    @{sys}/devices/system/cpu/online r,
> >    @{sys}/devices/system/cpu/possible r,
> > +  # runtime initialization for binaries linked to libnuma
> > +  @{sys}/devices/system/node/     r,
> >
> >    # transparent hugepage support
> >    @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
> > --
> > 2.45.2
> >
> >
>


-- 
Hector CAO
Software Engineer – Partner Engineering Team
hector....@canonical.com
https://launc <https://launchpad.net/~hectorcao>hpad.net/~hectorcao
<https://launchpad.net/~hectorcao>

<https://launchpad.net/~hectorcao>

Reply via email to