Quoting James Page (<email address hidden>):
> 2) vhost-user device access
>
> The configuration for the vhost-user device created in OVS will also be
> blocked by apparmor:
>
> -chardev socket,id=charnet0,path=/var/run/openvswitch/vhu5392206b-dc
> -netdev type=vhost-user,id=hostnet0,chardev=charnet0 -device virtio-net-
> pci,netdev=hostnet0,id=net0,mac=fa:16:3e:e5:41:f1,bus=pci.0,addr=0x3
>
> I'm assuming these will always be located in /var/run/openvswitch - but
> that's probably a little to generic for an apparmor rule - do they
> always follow as particular naming convention?
virt-aa-helper should be providing access for this one, not a blanket
allow rule.
Quoting James Page (<email address hidden>): id=charnet0, path=/var/ run/openvswitch /vhu5392206b- dc user,id= hostnet0, chardev= charnet0 -device virtio-net- hostnet0, id=net0, mac=fa: 16:3e:e5: 41:f1,bus= pci.0,addr= 0x3 openvswitch - but
> 2) vhost-user device access
>
> The configuration for the vhost-user device created in OVS will also be
> blocked by apparmor:
>
> -chardev socket,
> -netdev type=vhost-
> pci,netdev=
>
> I'm assuming these will always be located in /var/run/
> that's probably a little to generic for an apparmor rule - do they
> always follow as particular naming convention?
virt-aa-helper should be providing access for this one, not a blanket
allow rule.