For executables dynamically linked to libnuma, the runtimer linker
invokes libnuma functions (num_init) that try to access
/sys/devices/system/node/ and if the application's apparmor
profile does not allow this access, this access will be denied
by apparmor with following error message:
apparmor="DENIED" operation="open" class="file"
name="/sys/devices/system/node/" comm="qemu-bridge-hel"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Here is the simplified call trace:
0 ... in ?? () from /lib/x86_64-linux-gnu/libnuma.so.1
1 ... in call_init (...) at ./elf/dl-init.c:74
2 ... in call_init (...) at ./elf/dl-init.c:120
3 _dl_init (...) at ./elf/dl-init.c:121
4 ... in _dl_start_user () from /lib64/ld-linux-x86-64.so.2
This commit adds an abstract profile that applications that are
linked to libnuma can include in their apparmor profile.
Signed-off-by: Hector Cao <hector....@canonical.com>
---
profiles/apparmor.d/abstractions/libnuma | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
create mode 100644 profiles/apparmor.d/abstractions/libnuma
diff --git a/profiles/apparmor.d/abstractions/libnuma
b/profiles/apparmor.d/abstractions/libnuma
new file mode 100644
index 000000000..9126294c4
--- /dev/null
+++ b/profiles/apparmor.d/abstractions/libnuma
@@ -0,0 +1,19 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2025 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ abi <abi/4.0>,
+
+ # this abstract profile can be included by applications that are
+ # dynamically linked to libnuma
+ # libnuma defines the function num_init() as the .init function
+ # to be called by the runtime linker (ld) when libnuma is loaded
+
+ @{sys}/devices/system/cpu/node/ r,
--
2.45.2
