Comment 0 for bug 1680384

By debugging various bugs I've found several entries missing in the libvirt-qemu apparmor abstraction.

Those issues - now that they are understood - are taken out of the original bugs to focus on the remaining debugging there.

None of these are per Guest, so add to /etc/apparmor.d/abstractions/libvirt-qemu

The missing entries as identified are:
#1
For virtual functions the generic vfio interface
/etc/apparmor.d/abstractions/libvirt-qemu like:
  # allow guest access to the generic base vfio interface (LP: #1678322)
  /dev/vfio/vfio rw,

I checked with the security team and also according to https://www.kernel.org/doc/Documentation/vfio.txt this base interface should be save to be allowed.

#2
Binaries for ppc64el based checks in the kvm wrapper script.
That wrapper extension about smt awareness was tested and works fine as-is, but not when driven via libvirt due to the profile restrictions.

apparmor="DENIED" operation="exec" profile="libvirt-88b15add-b290-431d-9e49-fa771588f2f5" name="/usr/sbin/ppc64_cpu" pid=9539 comm="kvm" requested_mask="x" denied_mask="x" fsuid=64055 ouid=0
apparmor="DENIED" operation="exec" profile="libvirt-88b15add-b290-431d-9e49-fa771588f2f5" name="/bin/grep" pid=9541 comm="kvm" requested_mask="x" denied_mask="x" fsuid=64055 ouid=0

#3
Qemu tries to read who killed it to report on shutdown
[ 518.615420] audit: type=1400 audit(1491467132.255:21): apparmor="DENIED" operation="open" profile="libvirt-88b15add-b290-431d-9e49-fa771588f2f5" name="/proc/7989/cmdline" pid=9531 comm="qemu-system-ppc" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0

The following should be rather save
/proc/*/cmdline r,

That will make the <unkown process> in logs like the following more readable:
"qemu-system-ppc64: terminating on signal 15 from pid 10924 (<unknown process>)"