[apparmor] [PATCH] Allow access to possible cpus for glibc-2.36
christian.ehrhardt at canonical.com
christian.ehrhardt at canonical.com
Mon Nov 14 16:24:42 UTC 2022
From: Christian Ehrhardt <christian.ehrhardt at canonical.com>
Glibc in 2.36 and later will [1] access sysfs at
/sys/devices/system/cpu/possible when usig sysconf
for _SC_NPROCESSORS_CONF.
That will make a lot of different code, for example
anything linked against libnuma, trigger this apparmor
denial.
apparmor="DENIED" operation="open" class="file" ...
name="/sys/devices/system/cpu/possible" ...
requested_mask="r" denied_mask="r" fsuid=0 ouid=0

This entry seems rather safe, and it follows others
that are already in place. Instead of fixing each
software individually this should go into the base
profile as well.
Initially reported via
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989073
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/267
Signed-off-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
---
profiles/apparmor.d/abstractions/base | 1 +
1 file changed, 1 insertion(+)
diff --git a/profiles/apparmor.d/abstractions/base b/profiles/apparmor.d/abstractions/base
index a03be4b07..81c50359e 100644
--- a/profiles/apparmor.d/abstractions/base
+++ b/profiles/apparmor.d/abstractions/base
@@ -101,6 +101,7 @@
@{PROC}/cpuinfo r,
@{sys}/devices/system/cpu/ r,
@{sys}/devices/system/cpu/online r,
+ @{sys}/devices/system/cpu/possible r,
# glibc's *printf protections read the maps file
@{PROC}/@{pid}/{maps,auxv,status} r,
--
2.38.1
More information about the AppArmor
mailing list