Usually guides said a user who wants to provide vfio uncomment the default provided but commented cgroup_device_acl setting. I was able to confirm that even with that the case fails with the apparmor aformentioned deny.
As suggested the right solution is to add it to the base abstraction being /etc/apparmor.d/abstractions/libvirt-qemu like:
# allow guest access to the generic base vfio interface (LP: #1678322)
/dev/vfio/vfio rw,
The base device should be safe as it has "all but a couple version and extension query interfaces locked away" [1].
This is not new, the open on this is since 2014 in the code, so I wonder if all using that just disabled it or manually tweaked.
This part shall surely be added to the base profile
[ 2652.756712] audit: type=1400 audit(149130369 1.719:25) : apparmor="DENIED" operation="open" profile= "libvirt- 17a61b87- 5132-497c- b928-421ac2ee0c 8a" name="/ dev/vfio/ vfio" pid=8486 comm="qemu- system- x86" requested_mask="wr" denied_mask="wr" fsuid=64055 ouid=0
Usually guides said a user who wants to provide vfio uncomment the default provided but commented cgroup_device_acl setting. I was able to confirm that even with that the case fails with the apparmor aformentioned deny.
As suggested the right solution is to add it to the base abstraction being /etc/apparmor. d/abstractions/ libvirt- qemu like:
# allow guest access to the generic base vfio interface (LP: #1678322)
/dev/vfio/vfio rw,
The base device should be safe as it has "all but a couple version and extension query interfaces locked away" [1].
This is not new, the open on this is since 2014 in the code, so I wonder if all using that just disabled it or manually tweaked.
This part shall surely be added to the base profile
Looking into the setrlimit next.
[1]: https:/ /www.kernel. org/doc/ Documentation/ vfio.txt