Two observations after discussing with Hui on IRC:
1) Hugepage filesystem
Right now, the apparmor profile only allows access to:
# for access to hugepages
owner "/run/hugepages/kvm/libvirt/qemu/**" rw,
if the hugepage FS is mounted elsewhere, any hugepage access will be blocked by apparmor.
The fact that the rule also specifies a subdirectory may also create problems, but I'm not 100% sure on that (depends on how dpdk shared hugepage memory with the guest device I think).
2) vhost-user device access
The configuration for the vhost-user device created in OVS will also be blocked by apparmor:
I'm assuming these will always be located in /var/run/openvswitch - but that's probably a little to generic for an apparmor rule - do they always follow as particular naming convention?
Two observations after discussing with Hui on IRC:
1) Hugepage filesystem
Right now, the apparmor profile only allows access to:
# for access to hugepages /kvm/libvirt/ qemu/** " rw,
owner "/run/hugepages
if the hugepage FS is mounted elsewhere, any hugepage access will be blocked by apparmor.
The fact that the rule also specifies a subdirectory may also create problems, but I'm not 100% sure on that (depends on how dpdk shared hugepage memory with the guest device I think).
2) vhost-user device access
The configuration for the vhost-user device created in OVS will also be blocked by apparmor:
-chardev socket, id=charnet0, path=/var/ run/openvswitch /vhu5392206b- dc -netdev type=vhost- user,id= hostnet0, chardev= charnet0 -device virtio- net-pci, netdev= hostnet0, id=net0, mac=fa: 16:3e:e5: 41:f1,bus= pci.0,addr= 0x3
I'm assuming these will always be located in /var/run/ openvswitch - but that's probably a little to generic for an apparmor rule - do they always follow as particular naming convention?