AppArmor rule to allow QEMU to create a char device socket in a directory

Ken Y-N

8/7/24, 6:39 AM

Given the following command line for QEMU (from this page):

qemu-system-x86_64 -machine accel=kvm -cpu host \
    -m $mem -object memory-backend-file,id=mem,size=$mem,mem-path=/dev/hugepages,share=on \
            -mem-prealloc -numa node,memdev=mem \
    -chardev socket,id=char1,path=/tmp/sock0,server=on

With a default install of Ubuntu 22.04 I get this error:

[12264.014241] audit: type=1400 audit(1691452988.768:416): apparmor="DENIED"
      operation="mknod" class="file" profile="libvirt-ea182d75-dd38-41dd-b227-5b871b0a77bb"
      name="/tmp/sock0" pid=16693 comm="qemu-system-x86" 
      requested_mask="c" denied_mask="c" fsuid=64055 ouid=64055

All the examples I can find on the web are for network sockets or just normal directory permissions, so how do I create a rule to allow AppArmor to permit my operation?

0 + 0

qemu

socket

apparmor

unix-sockets

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: AppArmor rule to allow QEMU to create a char device socket in a directory

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.