On 2/26/25 13:00, Ryan Lee wrote:
On Tue, Feb 25, 2025 at 3:21 PM Hector Cao <hector....@canonical.com> wrote:For executables dynamically linked to libnuma, the runtimer linker invokes libnuma functions (num_init) that try to access /sys/devices/system/node/ and if the application's apparmor profile does not allow this access, this access will be denied by apparmor with following error message: apparmor="DENIED" operation="open" class="file" name="/sys/devices/system/node/" comm="qemu-bridge-hel" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Here is the simplified call trace: 0 ... in ?? () from /lib/x86_64-linux-gnu/libnuma.so.1 1 ... in call_init (...) at ./elf/dl-init.c:74 2 ... in call_init (...) at ./elf/dl-init.c:120 3 _dl_init (...) at ./elf/dl-init.c:121 4 ... in _dl_start_user () from /lib64/ld-linux-x86-64.so.2 This commit adds an abstract profile that applications that are linked to libnuma can include in their apparmor profile. Signed-off-by: Hector Cao <hector....@canonical.com> --- profiles/apparmor.d/abstractions/libnuma | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 profiles/apparmor.d/abstractions/libnuma diff --git a/profiles/apparmor.d/abstractions/libnuma b/profiles/apparmor.d/abstractions/libnuma new file mode 100644 index 000000000..e06e03299 --- /dev/null +++ b/profiles/apparmor.d/abstractions/libnuma @@ -0,0 +1,22 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2025 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + abi <abi/4.0>, + + # this abstract profile can be included by applications that are + # dynamically linked to libnuma + # libnuma defines the function num_init() as the .init function + # to be called by the runtime linker (ld) when libnuma is loaded + + @{sys}/devices/system/cpu/node/ r, + + # Include additions to the abstraction + include if exists <abstractions/libnuma.d> -- 2.45.2Reviewed-by: Ryan Lee <ryan....@canonical.com>
Acked-by: John Johansen <john.johan...@canonical.com>
