Comment 17 for bug 1513367

Two observations after discussing with Hui on IRC:

1) Hugepage filesystem

Right now, the apparmor profile only allows access to:

   # for access to hugepages
  owner "/run/hugepages/kvm/libvirt/qemu/**" rw,

if the hugepage FS is mounted elsewhere, any hugepage access will be blocked by apparmor.

The fact that the rule also specifies a subdirectory may also create problems, but I'm not 100% sure on that (depends on how dpdk shared hugepage memory with the guest device I think).

2) vhost-user device access

The configuration for the vhost-user device created in OVS will also be blocked by apparmor:

  -chardev socket,id=charnet0,path=/var/run/openvswitch/vhu5392206b-dc -netdev type=vhost-user,id=hostnet0,chardev=charnet0 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=fa:16:3e:e5:41:f1,bus=pci.0,addr=0x3

I'm assuming these will always be located in /var/run/openvswitch - but that's probably a little to generic for an apparmor rule - do they always follow as particular naming convention?