Re: [apparmor] [PATCH] Add abstract profile for libnuma

Tue, 25 Feb 2025 15:07:23 -0800 

On Tue, Feb 25, 2025 at 1:06 AM Hector Cao <hector....@canonical.com> wrote:
>
> For executables dynamically linked to libnuma, the runtimer linker
> invokes libnuma functions (num_init) that try to access
> /sys/devices/system/node/ and if the application's apparmor
> profile does not allow this access, this access will be denied
> by apparmor with following error message:
>
>   apparmor="DENIED" operation="open" class="file"
>   name="/sys/devices/system/node/" comm="qemu-bridge-hel"
>   requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
>
> Here is the simplified call trace:
>
>   0 ... in ?? () from /lib/x86_64-linux-gnu/libnuma.so.1
>   1 ... in call_init (...) at ./elf/dl-init.c:74
>   2 ... in call_init (...) at ./elf/dl-init.c:120
>   3 _dl_init (...) at ./elf/dl-init.c:121
>   4 ... in _dl_start_user () from /lib64/ld-linux-x86-64.so.2
>
> This commit adds an abstract profile that applications that are
> linked to libnuma can include in their apparmor profile.
>
> Signed-off-by: Hector Cao <hector....@canonical.com>
> ---
>  profiles/apparmor.d/abstractions/libnuma | 19 +++++++++++++++++++
>  1 file changed, 19 insertions(+)
>  create mode 100644 profiles/apparmor.d/abstractions/libnuma
>
> diff --git a/profiles/apparmor.d/abstractions/libnuma 
> b/profiles/apparmor.d/abstractions/libnuma
> new file mode 100644
> index 000000000..9126294c4
> --- /dev/null
> +++ b/profiles/apparmor.d/abstractions/libnuma
> @@ -0,0 +1,19 @@
> +# vim:syntax=apparmor
> +# ------------------------------------------------------------------
> +#
> +#    Copyright (C) 2025 Canonical Ltd.
> +#
> +#    This program is free software; you can redistribute it and/or
> +#    modify it under the terms of version 2 of the GNU General Public
> +#    License published by the Free Software Foundation.
> +#
> +# ------------------------------------------------------------------
> +
> +  abi <abi/4.0>,
> +
> +  # this abstract profile can be included by applications that are
> +  # dynamically linked to libnuma
> +  # libnuma defines the function num_init() as the .init function
> +  # to be called by the runtime linker (ld) when libnuma is loaded
> +
> +  @{sys}/devices/system/cpu/node/ r,

To allow local additions to the abstraction, please add "include if
exists <abstractions/libnuma.d>" to the end of the abstraction. You
can see examples of such include lines in e.g. the upstream
abstractions/nameservice.

> --
> 2.45.2
>
>

Reply via email to