From: Hector Cao Date: Tue, 14 Oct 2025 15:28:34 +0000 (+0200) Subject: apparmor: Allow AMD-SEV device access for AMD-SEV VM X-Git-Tag: v11.9.0-rc1~25 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b90cf0c916cb114ae4cefa082311c05fc5e00193;p=thirdparty%2Flibvirt.git apparmor: Allow AMD-SEV device access for AMD-SEV VM AMD-SEV virtual machines interact with the underlying AMD-SEV technology through the character device /dev/sev. Currently, the AppArmor profile does not include the rule required to allow this access. There are two main approaches to address this limitation: 1) Add the required rule to the libvirt-qemu abstraction. 2) Dynamically add the rule only when the VM is an AMD-SEV guest. Since AMD-SEV guests represent a niche use case, it is more appropriate to apply the rule dynamically rather than granting access to all VMs through a global abstraction change. This commit implements option (2) by modifying the virt-aa-helper binary to insert the necessary rule into the AppArmor dynamic profile when the VM is identified as an AMD-SEV guest. The added entry in the generated libvirt-.files file will look like: ... "/dev/sev" rw, ... Signed-off-by: Hector Cao Reviewed-by: Michal Privoznik --- diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index 8a297d4b54..de0a826063 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -1370,6 +1370,21 @@ get_files(vahControl * ctl) virBufferAddLit(&buf, " deny \"/var/lib/libvirt/.cache/\" w,\n"); } + /* AMD-SEV VM needs to read/write the character device /dev/sev */ + if (ctl->def->sec) { + switch (ctl->def->sec->sectype) { + case VIR_DOMAIN_LAUNCH_SECURITY_SEV: + case VIR_DOMAIN_LAUNCH_SECURITY_SEV_SNP: + virBufferAddLit(&buf, " \"/dev/sev\" rw,\n"); + break; + case VIR_DOMAIN_LAUNCH_SECURITY_PV: + case VIR_DOMAIN_LAUNCH_SECURITY_TDX: + case VIR_DOMAIN_LAUNCH_SECURITY_NONE: + case VIR_DOMAIN_LAUNCH_SECURITY_LAST: + break; + } + } + if (ctl->newfile && vah_add_file(&buf, ctl->newfile, "rwk") != 0) { return -1;