There are two ways to allow qemu to access something.
1. globally through the abstraction in /etc7apparmor.d/abstractions/libvirt-qemu
That is for paths ALL qemu/geusts are supposed to use like /dev/kvm
2. per guest files generated based on the XML description in /etc/apparmor.d/libvirt/libvirt-<uuid>.files
If you need paths like /sys/bus/pci/devices/0009:03:00.0/devspec to be accessible you should consider if you can derive the path from the XML and then let virt-aa-helper write a rule for it so that the guest can do so.
Finally later in the guest lifecycle further rules will be added via the labeling calls in the security code. E.g. if you add a device libvirt calls a set label function and this will add the new ruls (like for hotplug).
For the latter see virAppArmorSecurityDriver in src/security/security_apparmor.c
There are two ways to allow qemu to access something. d/abstractions/ libvirt- qemu d/libvirt/ libvirt- <uuid>. files pci/devices/ 0009:03: 00.0/devspec to be accessible you should consider if you can derive the path from the XML and then let virt-aa-helper write a rule for it so that the guest can do so.
1. globally through the abstraction in /etc7apparmor.
That is for paths ALL qemu/geusts are supposed to use like /dev/kvm
2. per guest files generated based on the XML description in /etc/apparmor.
If you need paths like /sys/bus/
Finally later in the guest lifecycle further rules will be added via the labeling calls in the security code. E.g. if you add a device libvirt calls a set label function and this will add the new ruls (like for hotplug). rityDriver in src/security/ security_ apparmor. c
For the latter see virAppArmorSecu