Apparmor tweaks (from Incus)#16132
Merged
tomponline merged 4 commits intocanonical:mainfrom Aug 1, 2025
Merged
Conversation
Signed-off-by: Stéphane Graber <stgraber@stgraber.org> (cherry picked from commit d06441c0fd92ce88be56d4b2c409e7e063e5cbeb) Signed-off-by: Simon Deziel <simon.deziel@canonical.com> License: Apache-2.0
Signed-off-by: Stéphane Graber <stgraber@stgraber.org> (cherry picked from commit 858f3afbd5ef2712f5049f9e794b97e4245a80f2) Signed-off-by: Simon Deziel <simon.deziel@canonical.com> License: Apache-2.0
Signed-off-by: Stéphane Graber <stgraber@stgraber.org> (cherry picked from commit 81e19ac8c12359ac8b84ea15e4155bafe3ee26e3) Signed-off-by: Simon Deziel <simon.deziel@canonical.com> License: Apache-2.0
There was a problem hiding this comment.
Pull Request Overview
This PR updates AppArmor profiles for QEMU-related components by adding additional file system access permissions. The changes appear to be ported from the Incus project to enhance compatibility and functionality.
Key Changes:
- Added process and system file access permissions for QEMU image operations
- Enhanced QEMU instance profile with additional proc filesystem access rules
- Improved system device and node information access capabilities
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| lxd/apparmor/qemuimg.go | Added proc/sys access and system device/node read permissions for QEMU image operations |
| lxd/apparmor/instance_qemu.go | Enhanced with proc filesystem access for process information, task communication, and memory mapping |
…nd threads only Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
Member
Author
|
This was tested locally and it indeed avoids the denials from |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Silence some Apparmor denials observed on my Jammy system with LXD
latest/edge: