Apparmor denials with intel-mei interface


#1

intel-mei is a new interface in snapd 2.38 to allow access to /dev/mei* devices.

I’m trying to use this interface in Ubuntu 16.04.
With “/dev/mei[0-9]+ rw,” line in the AppArmor profile the plug does not work, the AppArmor returns “DENIED”.
If I change the line to “/dev/mei[0-9] rw,” it started to work.
What am I missing here?

Note, that I use it from systemd-started service running under root.


#2

Apparmor regular expressions AARE are a bit different from commonly used REs. Perhaps there’s a bug there? Can you paste the exact denial you get?


#3

Here it is:

Apr 23 09:13:18 sannilnx kernel: [493035.556511] audit: type=1400 audit(1555999998.658:3030): apparmor=“DENIED” operation=“open” profile=“snap.lms.lms” name="/dev/mei0" pid=10511 comm=“lms” requested_mask=“wr” denied_mask=“wr” fsuid=0 ouid=0

Is there any documentation about AppArmor RE?


#4

The pattern seems incorrect, I’ve opened a PR to fix that: https://github.com/snapcore/snapd/pull/6762 Should land in time for 2.39.


#5

Thanks! Pattern with * also seems to work.