FILTERS = $(wildcard $(srcdir)/xml/nwfilter/*.xml)
EXTRA_DIST = \
- apparmor/TEMPLATE.qemu \
- apparmor/TEMPLATE.lxc \
- apparmor/libvirt-qemu \
- apparmor/libvirt-lxc \
- apparmor/usr.lib.libvirt.virt-aa-helper \
- apparmor/usr.sbin.libvirtd \
lxcconvert/virt-lxc-convert \
polkit/libvirt-acl.rules \
$(wildcard $(srcdir)/systemtap/*.stp) \
INSTALL_DATA_LOCAL =
UNINSTALL_LOCAL =
-if WITH_APPARMOR_PROFILES
-apparmordir = $(sysconfdir)/apparmor.d/
-apparmor_DATA = \
- apparmor/usr.lib.libvirt.virt-aa-helper \
- apparmor/usr.sbin.libvirtd \
- $(NULL)
-
-abstractionsdir = $(apparmordir)/abstractions
-abstractions_DATA = \
- apparmor/libvirt-qemu \
- apparmor/libvirt-lxc \
- $(NULL)
-
-templatesdir = $(apparmordir)/libvirt
-templates_DATA = \
- apparmor/TEMPLATE.qemu \
- apparmor/TEMPLATE.lxc \
- $(NULL)
-
-APPARMOR_LOCAL_DIR = "$(DESTDIR)$(apparmordir)/local"
-install-apparmor-local:
- $(MKDIR_P) "$(APPARMOR_LOCAL_DIR)"
- echo "# Site-specific additions and overrides for \
- 'usr.lib.libvirt.virt-aa-helper'" \
- >"$(APPARMOR_LOCAL_DIR)/usr.lib.libvirt.virt-aa-helper"
-
-uninstall-apparmor-local:
- rm -f "$(APPARMOR_LOCAL_DIR)/usr.lib.libvirt.virt-aa-helper"
- rmdir "$(APPARMOR_LOCAL_DIR)" || :
-
-INSTALL_DATA_LOCAL += install-apparmor-local
-UNINSTALL_LOCAL += uninstall-apparmor-local
-endif WITH_APPARMOR_PROFILES
-
if WITH_NWFILTER
NWFILTER_DIR = "$(DESTDIR)$(sysconfdir)/libvirt/nwfilter"
+++ /dev/null
-#
-# This profile is for the domain whose UUID matches this file.
-#
-
-#include <tunables/global>
-
-profile LIBVIRT_TEMPLATE flags=(attach_disconnected) {
- #include <abstractions/libvirt-lxc>
-
- # Globally allows everything to run under this profile
- # These can be narrowed depending on the container's use.
- file,
- capability,
- network,
-}
+++ /dev/null
-#
-# This profile is for the domain whose UUID matches this file.
-#
-
-#include <tunables/global>
-
-profile LIBVIRT_TEMPLATE flags=(attach_disconnected) {
- #include <abstractions/libvirt-qemu>
-}
+++ /dev/null
-# Last Modified: Fri Feb 7 13:01:36 2014
-
- #include <abstractions/base>
-
- umount,
-
- # ignore DENIED message on / remount
- deny mount options=(ro, remount) -> /,
-
- # allow tmpfs mounts everywhere
- mount fstype=tmpfs,
-
- # allow mqueue mounts everywhere
- mount fstype=mqueue,
-
- # allow fuse mounts everywhere
- mount fstype=fuse.*,
-
- # deny writes in /proc/sys/fs but allow binfmt_misc to be mounted
- mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
- deny @{PROC}/sys/fs/** wklx,
-
- # allow efivars to be mounted, writing to it will be blocked though
- mount fstype=efivarfs -> /sys/firmware/efi/efivars/,
-
- # block some other dangerous paths
- deny @{PROC}/sysrq-trigger rwklx,
- deny @{PROC}/mem rwklx,
- deny @{PROC}/kmem rwklx,
-
- # deny writes in /sys except for /sys/fs/cgroup, also allow
- # fusectl, securityfs and debugfs to be mounted there (read-only)
- mount fstype=fusectl -> /sys/fs/fuse/connections/,
- mount fstype=securityfs -> /sys/kernel/security/,
- mount fstype=debugfs -> /sys/kernel/debug/,
- mount fstype=proc -> /proc/,
- mount fstype=sysfs -> /sys/,
- deny /sys/firmware/efi/efivars/** rwklx,
- deny /sys/kernel/security/** rwklx,
-
- # generated by: lxc-generate-aa-rules.py container-rules.base
- deny /proc/sys/[^kn]*{,/**} wklx,
- deny /proc/sys/k[^e]*{,/**} wklx,
- deny /proc/sys/ke[^r]*{,/**} wklx,
- deny /proc/sys/ker[^n]*{,/**} wklx,
- deny /proc/sys/kern[^e]*{,/**} wklx,
- deny /proc/sys/kerne[^l]*{,/**} wklx,
- deny /proc/sys/kernel/[^smhd]*{,/**} wklx,
- deny /proc/sys/kernel/d[^o]*{,/**} wklx,
- deny /proc/sys/kernel/do[^m]*{,/**} wklx,
- deny /proc/sys/kernel/dom[^a]*{,/**} wklx,
- deny /proc/sys/kernel/doma[^i]*{,/**} wklx,
- deny /proc/sys/kernel/domai[^n]*{,/**} wklx,
- deny /proc/sys/kernel/domain[^n]*{,/**} wklx,
- deny /proc/sys/kernel/domainn[^a]*{,/**} wklx,
- deny /proc/sys/kernel/domainna[^m]*{,/**} wklx,
- deny /proc/sys/kernel/domainnam[^e]*{,/**} wklx,
- deny /proc/sys/kernel/domainname?*{,/**} wklx,
- deny /proc/sys/kernel/h[^o]*{,/**} wklx,
- deny /proc/sys/kernel/ho[^s]*{,/**} wklx,
- deny /proc/sys/kernel/hos[^t]*{,/**} wklx,
- deny /proc/sys/kernel/host[^n]*{,/**} wklx,
- deny /proc/sys/kernel/hostn[^a]*{,/**} wklx,
- deny /proc/sys/kernel/hostna[^m]*{,/**} wklx,
- deny /proc/sys/kernel/hostnam[^e]*{,/**} wklx,
- deny /proc/sys/kernel/hostname?*{,/**} wklx,
- deny /proc/sys/kernel/m[^s]*{,/**} wklx,
- deny /proc/sys/kernel/ms[^g]*{,/**} wklx,
- deny /proc/sys/kernel/msg*/** wklx,
- deny /proc/sys/kernel/s[^he]*{,/**} wklx,
- deny /proc/sys/kernel/se[^m]*{,/**} wklx,
- deny /proc/sys/kernel/sem*/** wklx,
- deny /proc/sys/kernel/sh[^m]*{,/**} wklx,
- deny /proc/sys/kernel/shm*/** wklx,
- deny /proc/sys/kernel?*{,/**} wklx,
- deny /proc/sys/n[^e]*{,/**} wklx,
- deny /proc/sys/ne[^t]*{,/**} wklx,
- deny /proc/sys/net?*{,/**} wklx,
- deny /sys/[^fdc]*{,/**} wklx,
- deny /sys/c[^l]*{,/**} wklx,
- deny /sys/cl[^a]*{,/**} wklx,
- deny /sys/cla[^s]*{,/**} wklx,
- deny /sys/clas[^s]*{,/**} wklx,
- deny /sys/class/[^n]*{,/**} wklx,
- deny /sys/class/n[^e]*{,/**} wklx,
- deny /sys/class/ne[^t]*{,/**} wklx,
- deny /sys/class/net?*{,/**} wklx,
- deny /sys/class?*{,/**} wklx,
- deny /sys/d[^e]*{,/**} wklx,
- deny /sys/de[^v]*{,/**} wklx,
- deny /sys/dev[^i]*{,/**} wklx,
- deny /sys/devi[^c]*{,/**} wklx,
- deny /sys/devic[^e]*{,/**} wklx,
- deny /sys/device[^s]*{,/**} wklx,
- deny /sys/devices/[^v]*{,/**} wklx,
- deny /sys/devices/v[^i]*{,/**} wklx,
- deny /sys/devices/vi[^r]*{,/**} wklx,
- deny /sys/devices/vir[^t]*{,/**} wklx,
- deny /sys/devices/virt[^u]*{,/**} wklx,
- deny /sys/devices/virtu[^a]*{,/**} wklx,
- deny /sys/devices/virtua[^l]*{,/**} wklx,
- deny /sys/devices/virtual/[^n]*{,/**} wklx,
- deny /sys/devices/virtual/n[^e]*{,/**} wklx,
- deny /sys/devices/virtual/ne[^t]*{,/**} wklx,
- deny /sys/devices/virtual/net?*{,/**} wklx,
- deny /sys/devices/virtual?*{,/**} wklx,
- deny /sys/devices?*{,/**} wklx,
- deny /sys/f[^s]*{,/**} wklx,
- deny /sys/fs/[^c]*{,/**} wklx,
- deny /sys/fs/c[^g]*{,/**} wklx,
- deny /sys/fs/cg[^r]*{,/**} wklx,
- deny /sys/fs/cgr[^o]*{,/**} wklx,
- deny /sys/fs/cgro[^u]*{,/**} wklx,
- deny /sys/fs/cgrou[^p]*{,/**} wklx,
- deny /sys/fs/cgroup?*{,/**} wklx,
- deny /sys/fs?*{,/**} wklx,
+++ /dev/null
-# Last Modified: Wed Sep 3 21:52:03 2014
-
- #include <abstractions/base>
- #include <abstractions/consoles>
- #include <abstractions/nameservice>
-
- # required for reading disk images
- capability dac_override,
- capability dac_read_search,
- capability chown,
-
- # needed to drop privileges
- capability setgid,
- capability setuid,
-
- network inet stream,
- network inet6 stream,
-
- ptrace (readby, tracedby) peer=/usr/sbin/libvirtd,
-
- signal (receive) peer=/usr/sbin/libvirtd,
-
- /dev/net/tun rw,
- /dev/kvm rw,
- /dev/ptmx rw,
- /dev/kqemu rw,
- @{PROC}/*/status r,
- # When qemu is signaled to terminate, it will read cmdline of signaling
- # process for reporting purposes. Allowing read access to a process
- # cmdline may leak sensitive information embedded in the cmdline.
- @{PROC}/@{pid}/cmdline r,
- # Per man(5) proc, the kernel enforces that a thread may
- # only modify its comm value or those in its thread group.
- owner @{PROC}/@{pid}/task/@{tid}/comm rw,
- @{PROC}/sys/kernel/cap_last_cap r,
-
- # For hostdev access. The actual devices will be added dynamically
- /sys/bus/usb/devices/ r,
- /sys/devices/**/usb[0-9]*/** r,
- # libusb needs udev data about usb devices (~equal to content of lsusb -v)
- /run/udev/data/c16[6,7]* r,
- /run/udev/data/c18[0,8,9]* r,
- /run/udev/data/+usb* r,
-
- # WARNING: this gives the guest direct access to host hardware and specific
- # portions of shared memory. This is required for sound using ALSA with kvm,
- # but may constitute a security risk. If your environment does not require
- # the use of sound in your VMs, feel free to comment out or prepend 'deny' to
- # the rules for files in /dev.
- /{dev,run}/shm r,
- /{dev,run}/shmpulse-shm* r,
- /{dev,run}/shmpulse-shm* rwk,
- /dev/snd/* rw,
- capability ipc_lock,
- # spice
- owner /{dev,run}/shm/spice.* rw,
- # 'kill' is not required for sound and is a security risk. Do not enable
- # unless you absolutely need it.
- deny capability kill,
-
- # Uncomment the following if you need access to /dev/fb*
- #/dev/fb* rw,
-
- /etc/pulse/client.conf r,
- @{HOME}/.pulse-cookie rwk,
- owner /root/.pulse-cookie rwk,
- owner /root/.pulse/ rw,
- owner /root/.pulse/* rw,
- /usr/share/alsa/** r,
- owner /tmp/pulse-*/ rw,
- owner /tmp/pulse-*/* rw,
- /var/lib/dbus/machine-id r,
-
- # access to firmware's etc
- /usr/share/kvm/** r,
- /usr/share/qemu/** r,
- /usr/share/qemu-kvm/** r,
- /usr/share/bochs/** r,
- /usr/share/openbios/** r,
- /usr/share/openhackware/** r,
- /usr/share/proll/** r,
- /usr/share/vgabios/** r,
- /usr/share/seabios/** r,
- /usr/share/misc/sgabios.bin r,
- /usr/share/ovmf/** r,
- /usr/share/OVMF/** r,
- /usr/share/AAVMF/** r,
- /usr/share/qemu-efi/** r,
- /usr/share/slof/** r,
-
- # pki for libvirt-vnc and libvirt-spice (LP: #901272, #1690140)
- /etc/pki/CA/ r,
- /etc/pki/CA/* r,
- /etc/pki/libvirt{,-spice,-vnc}/ r,
- /etc/pki/libvirt{,-spice,-vnc}/** r,
-
- # the various binaries
- /usr/bin/kvm rmix,
- /usr/bin/qemu rmix,
- /usr/bin/qemu-kvm rmix,
- /usr/bin/qemu-system-aarch64 rmix,
- /usr/bin/qemu-system-alpha rmix,
- /usr/bin/qemu-system-arm rmix,
- /usr/bin/qemu-system-cris rmix,
- /usr/bin/qemu-system-i386 rmix,
- /usr/bin/qemu-system-lm32 rmix,
- /usr/bin/qemu-system-m68k rmix,
- /usr/bin/qemu-system-microblaze rmix,
- /usr/bin/qemu-system-microblazeel rmix,
- /usr/bin/qemu-system-mips rmix,
- /usr/bin/qemu-system-mips64 rmix,
- /usr/bin/qemu-system-mips64el rmix,
- /usr/bin/qemu-system-mipsel rmix,
- /usr/bin/qemu-system-moxie rmix,
- /usr/bin/qemu-system-or32 rmix,
- /usr/bin/qemu-system-ppc rmix,
- /usr/bin/qemu-system-ppc64 rmix,
- /usr/bin/qemu-system-ppcemb rmix,
- /usr/bin/qemu-system-s390x rmix,
- /usr/bin/qemu-system-sh4 rmix,
- /usr/bin/qemu-system-sh4eb rmix,
- /usr/bin/qemu-system-sparc rmix,
- /usr/bin/qemu-system-sparc64 rmix,
- /usr/bin/qemu-system-tricore rmix,
- /usr/bin/qemu-system-unicore32 rmix,
- /usr/bin/qemu-system-x86_64 rmix,
- /usr/bin/qemu-system-xtensa rmix,
- /usr/bin/qemu-system-xtensaeb rmix,
- /usr/bin/qemu-aarch64 rmix,
- /usr/bin/qemu-alpha rmix,
- /usr/bin/qemu-arm rmix,
- /usr/bin/qemu-armeb rmix,
- /usr/bin/qemu-cris rmix,
- /usr/bin/qemu-i386 rmix,
- /usr/bin/qemu-m68k rmix,
- /usr/bin/qemu-microblaze rmix,
- /usr/bin/qemu-microblazeel rmix,
- /usr/bin/qemu-mips rmix,
- /usr/bin/qemu-mips64 rmix,
- /usr/bin/qemu-mips64el rmix,
- /usr/bin/qemu-mipsel rmix,
- /usr/bin/qemu-mipsn32 rmix,
- /usr/bin/qemu-mipsn32el rmix,
- /usr/bin/qemu-or32 rmix,
- /usr/bin/qemu-ppc rmix,
- /usr/bin/qemu-ppc64 rmix,
- /usr/bin/qemu-ppc64abi32 rmix,
- /usr/bin/qemu-ppc64le rmix,
- /usr/bin/qemu-s390x rmix,
- /usr/bin/qemu-sh4 rmix,
- /usr/bin/qemu-sh4eb rmix,
- /usr/bin/qemu-sparc rmix,
- /usr/bin/qemu-sparc32plus rmix,
- /usr/bin/qemu-sparc64 rmix,
- /usr/bin/qemu-unicore32 rmix,
- /usr/bin/qemu-x86_64 rmix,
- # for Debian/Ubuntu qemu-block-extra / RPMs qemu-block-* (LP: #1554761)
- /usr/{lib,lib64}/qemu/*.so mr,
- /usr/lib/@{multiarch}/qemu/*.so mr,
-
- # swtpm
- /{usr/,}bin/swtpm rmix,
- /usr/{lib,lib64}/libswtpm_libtpms.so mr,
- /usr/lib/@{multiarch}/libswtpm_libtpms.so mr,
-
- # for save and resume
- /{usr/,}bin/dash rmix,
- /{usr/,}bin/dd rmix,
- /{usr/,}bin/cat rmix,
-
- # for restore
- /{usr/,}bin/bash rmix,
-
- # for usb access
- /dev/bus/usb/ r,
- /etc/udev/udev.conf r,
- /sys/bus/ r,
- /sys/class/ r,
-
- # for rbd
- /etc/ceph/ceph.conf r,
-
- # Various functions will need to enumerate /tmp (e.g. ceph), allow the base
- # dir and a few known functions like samba support.
- # We want to avoid to give blanket rw permission to everything under /tmp,
- # users are expected to add site specific addons for more uncommon cases.
- # Qemu processes usually all run as the same users, so the "owner"
- # restriction prevents access to other services files, but not across
- # different instances.
- # This is a tradeoff between usability and security - if paths would be more
- # predictable that would be preferred - at least for write rules we would
- # want more unique paths per rule.
- /{,var/}tmp/ r,
- owner /{,var/}tmp/**/ r,
-
- # for file-posix getting limits since 9103f1ce
- /sys/devices/**/block/*/queue/max_segments r,
-
- # for ppc device-tree access
- @{PROC}/device-tree/ r,
- @{PROC}/device-tree/** r,
- /sys/firmware/devicetree/** r,
-
- # allow connect with openGraphicsFD to work
- unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),
-
- # for gathering information about available host resources
- /sys/devices/system/cpu/ r,
- /sys/devices/system/node/ r,
- /sys/devices/system/node/node[0-9]*/meminfo r,
- /sys/module/vhost/parameters/max_mem_regions r,
-
- # silence refusals to open lttng files (see LP: #1432644)
- deny /dev/shm/lttng-ust-wait-* r,
- deny /run/shm/lttng-ust-wait-* r,
-
- # for vfio hotplug on systems without static vfio (LP: #1775777)
- /dev/vfio/vfio rw,
-
- # required for sasl GSSAPI plugin
- /etc/gss/mech.d/ r,
- /etc/gss/mech.d/* r,
+++ /dev/null
-# Last Modified: Mon Apr 5 15:10:27 2010
-#include <tunables/global>
-
-profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
- #include <abstractions/base>
-
- # needed for searching directories
- capability dac_override,
- capability dac_read_search,
-
- # needed for when disk is on a network filesystem
- network inet,
- network inet6,
-
- deny @{PROC}/[0-9]*/mounts r,
- @{PROC}/[0-9]*/net/psched r,
- owner @{PROC}/[0-9]*/status r,
- @{PROC}/filesystems r,
-
- /etc/libnl-3/classid r,
-
- # for hostdev
- /sys/devices/ r,
- /sys/devices/** r,
- /sys/bus/usb/devices/ r,
- deny /dev/sd* r,
- deny /dev/vd* r,
- deny /dev/dm-* r,
- deny /dev/drbd[0-9]* r,
- deny /dev/dasd* r,
- deny /dev/nvme* r,
- deny /dev/zd[0-9]* r,
- deny /dev/mapper/ r,
- deny /dev/mapper/* r,
-
- /usr/{lib,lib64}/libvirt/virt-aa-helper mr,
- /{usr/,}sbin/apparmor_parser Ux,
-
- /etc/apparmor.d/libvirt/* r,
- /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
-
- # for backingstore -- allow access to non-hidden files in @{HOME} as well
- # as storage pools
- audit deny @{HOME}/.* mrwkl,
- audit deny @{HOME}/.*/ rw,
- audit deny @{HOME}/.*/** mrwkl,
- audit deny @{HOME}/bin/ rw,
- audit deny @{HOME}/bin/** mrwkl,
- @{HOME}/ r,
- @{HOME}/** r,
- /var/lib/libvirt/images/ r,
- /var/lib/libvirt/images/** r,
- /var/lib/nova/instances/_base/* r,
- /{media,mnt,opt,srv}/** r,
- # For virt-sandbox
- /{,var/}run/libvirt/**/[sv]d[a-z] r,
-
- /**.img r,
- /**.raw r,
- /**.qcow{,2} r,
- /**.qed r,
- /**.vmdk r,
- /**.[iI][sS][oO] r,
- /**/disk{,.*} r,
-
- #include <local/usr.lib.libvirt.virt-aa-helper>
-}
+++ /dev/null
-# Last Modified: Mon Apr 5 15:03:58 2010
-#include <tunables/global>
-@{LIBVIRT}="libvirt"
-
-/usr/sbin/libvirtd flags=(attach_disconnected) {
- #include <abstractions/base>
- #include <abstractions/dbus>
-
- capability kill,
- capability net_admin,
- capability net_raw,
- capability setgid,
- capability sys_admin,
- capability sys_module,
- capability sys_ptrace,
- capability sys_pacct,
- capability sys_nice,
- capability sys_chroot,
- capability setuid,
- capability dac_override,
- capability dac_read_search,
- capability fowner,
- capability chown,
- capability setpcap,
- capability mknod,
- capability fsetid,
- capability audit_write,
- capability ipc_lock,
-
- # Needed for vfio
- capability sys_resource,
-
- mount options=(rw,rslave) -> /,
- mount options=(rw, nosuid) -> /{var/,}run/libvirt/qemu/*.dev/,
-
- # libvirt provides any mounts under /dev to qemu namespaces
- mount options=(rw, move) /dev/ -> /{,var/}run/libvirt/qemu/*.dev/,
- mount options=(rw, move) /dev/** -> /{,var/}run/libvirt/qemu/*{,/},
- mount options=(rw, move) /{,var/}run/libvirt/qemu/*.dev/ -> /dev/,
- mount options=(rw, move) /{,var/}run/libvirt/qemu/*{,/} -> /dev/**,
-
- network inet stream,
- network inet dgram,
- network inet6 stream,
- network inet6 dgram,
- network netlink raw,
- network packet dgram,
- network packet raw,
-
- # for --p2p migrations
- unix (send, receive) type=stream addr=none peer=(label=unconfined addr=none),
-
- ptrace (read,trace) peer=unconfined,
- ptrace (read,trace) peer=/usr/sbin/libvirtd,
- ptrace (read,trace) peer=/usr/sbin/dnsmasq,
- ptrace (read,trace) peer=libvirt-*,
-
- signal (send) peer=/usr/sbin/dnsmasq,
- signal (read, send) peer=libvirt-*,
- signal (send) set=("kill", "term") peer=unconfined,
-
- # For communication/control to qemu-bridge-helper
- unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd//qemu_bridge_helper),
- signal (send) set=("term") peer=/usr/sbin/libvirtd//qemu_bridge_helper,
-
- # allow connect with openGraphicsFD, direction reversed in newer versions
- unix (send, receive) type=stream addr=none peer=(label=libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*),
- # unconfined also required if guests run without security module
- unix (send, receive) type=stream addr=none peer=(label=unconfined),
-
- # required if guests run unconfined seclabel type='none' but libvirtd is confined
- signal (read, send) peer=unconfined,
-
- # Very lenient profile for libvirtd since we want to first focus on confining
- # the guests. Guests will have a very restricted profile.
- / r,
- /** rwmkl,
-
- /bin/* PUx,
- /sbin/* PUx,
- /usr/bin/* PUx,
- /usr/sbin/virtlogd pix,
- /usr/sbin/* PUx,
- /{usr/,}lib/udev/scsi_id PUx,
- /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
- /usr/{lib,lib64}/xen/bin/* Ux,
- /usr/lib/xen-*/bin/libxl-save-helper PUx,
-
- # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to
- # read and run an ebtables script.
- /var/lib/libvirt/virtd* ixr,
-
- # force the use of virt-aa-helper
- audit deny /{usr/,}sbin/apparmor_parser rwxl,
- audit deny /etc/apparmor.d/libvirt/** wxl,
- audit deny /sys/kernel/security/apparmor/features rwxl,
- audit deny /sys/kernel/security/apparmor/matching rwxl,
- audit deny /sys/kernel/security/apparmor/.* rwxl,
- /sys/kernel/security/apparmor/profiles r,
- /usr/{lib,lib64}/libvirt/* PUxr,
- /usr/{lib,lib64}/libvirt/libvirt_parthelper ix,
- /usr/{lib,lib64}/libvirt/libvirt_iohelper ix,
- /etc/libvirt/hooks/** rmix,
- /etc/xen/scripts/** rmix,
-
- # allow changing to our UUID-based named profiles
- change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
-
- /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
- # child profile for bridge helper process
- profile qemu_bridge_helper {
- #include <abstractions/base>
-
- capability setuid,
- capability setgid,
- capability setpcap,
- capability net_admin,
-
- network inet stream,
-
- # For communication/control from libvirtd
- unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),
- signal (receive) set=("term") peer=/usr/sbin/libvirtd,
-
- /dev/net/tun rw,
- /etc/qemu/** r,
- owner @{PROC}/*/status r,
-
- /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix,
- }
-}
$(SECURITY_DRIVER_SELINUX_SOURCES) \
$(SECURITY_DRIVER_APPARMOR_SOURCES) \
$(SECURITY_DRIVER_APPARMOR_HELPER_SOURCES) \
+ security/apparmor/TEMPLATE.qemu \
+ security/apparmor/TEMPLATE.lxc \
+ security/apparmor/libvirt-qemu \
+ security/apparmor/libvirt-lxc \
+ security/apparmor/usr.lib.libvirt.virt-aa-helper \
+ security/apparmor/usr.sbin.libvirtd \
$(NULL)
libvirt_security_manager_la_SOURCES = $(SECURITY_DRIVER_SOURCES)
$(NULL)
endif WITH_LIBVIRTD
endif WITH_SECDRIVER_APPARMOR
+
+if WITH_APPARMOR_PROFILES
+apparmordir = $(sysconfdir)/apparmor.d/
+apparmor_DATA = \
+ security/apparmor/usr.lib.libvirt.virt-aa-helper \
+ security/apparmor/usr.sbin.libvirtd \
+ $(NULL)
+
+abstractionsdir = $(apparmordir)/abstractions
+abstractions_DATA = \
+ security/apparmor/libvirt-qemu \
+ security/apparmor/libvirt-lxc \
+ $(NULL)
+
+templatesdir = $(apparmordir)/libvirt
+templates_DATA = \
+ security/apparmor/TEMPLATE.qemu \
+ security/apparmor/TEMPLATE.lxc \
+ $(NULL)
+
+APPARMOR_LOCAL_DIR = "$(DESTDIR)$(apparmordir)/local"
+install-apparmor-local:
+ $(MKDIR_P) "$(APPARMOR_LOCAL_DIR)"
+ echo "# Site-specific additions and overrides for \
+ 'usr.lib.libvirt.virt-aa-helper'" \
+ >"$(APPARMOR_LOCAL_DIR)/usr.lib.libvirt.virt-aa-helper"
+
+uninstall-apparmor-local:
+ rm -f "$(APPARMOR_LOCAL_DIR)/usr.lib.libvirt.virt-aa-helper"
+ rmdir "$(APPARMOR_LOCAL_DIR)" || :
+
+INSTALL_DATA_LOCAL += install-apparmor-local
+UNINSTALL_LOCAL += uninstall-apparmor-local
+endif WITH_APPARMOR_PROFILES
--- /dev/null
+#
+# This profile is for the domain whose UUID matches this file.
+#
+
+#include <tunables/global>
+
+profile LIBVIRT_TEMPLATE flags=(attach_disconnected) {
+ #include <abstractions/libvirt-lxc>
+
+ # Globally allows everything to run under this profile
+ # These can be narrowed depending on the container's use.
+ file,
+ capability,
+ network,
+}
--- /dev/null
+#
+# This profile is for the domain whose UUID matches this file.
+#
+
+#include <tunables/global>
+
+profile LIBVIRT_TEMPLATE flags=(attach_disconnected) {
+ #include <abstractions/libvirt-qemu>
+}
--- /dev/null
+# Last Modified: Fri Feb 7 13:01:36 2014
+
+ #include <abstractions/base>
+
+ umount,
+
+ # ignore DENIED message on / remount
+ deny mount options=(ro, remount) -> /,
+
+ # allow tmpfs mounts everywhere
+ mount fstype=tmpfs,
+
+ # allow mqueue mounts everywhere
+ mount fstype=mqueue,
+
+ # allow fuse mounts everywhere
+ mount fstype=fuse.*,
+
+ # deny writes in /proc/sys/fs but allow binfmt_misc to be mounted
+ mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
+ deny @{PROC}/sys/fs/** wklx,
+
+ # allow efivars to be mounted, writing to it will be blocked though
+ mount fstype=efivarfs -> /sys/firmware/efi/efivars/,
+
+ # block some other dangerous paths
+ deny @{PROC}/sysrq-trigger rwklx,
+ deny @{PROC}/mem rwklx,
+ deny @{PROC}/kmem rwklx,
+
+ # deny writes in /sys except for /sys/fs/cgroup, also allow
+ # fusectl, securityfs and debugfs to be mounted there (read-only)
+ mount fstype=fusectl -> /sys/fs/fuse/connections/,
+ mount fstype=securityfs -> /sys/kernel/security/,
+ mount fstype=debugfs -> /sys/kernel/debug/,
+ mount fstype=proc -> /proc/,
+ mount fstype=sysfs -> /sys/,
+ deny /sys/firmware/efi/efivars/** rwklx,
+ deny /sys/kernel/security/** rwklx,
+
+ # generated by: lxc-generate-aa-rules.py container-rules.base
+ deny /proc/sys/[^kn]*{,/**} wklx,
+ deny /proc/sys/k[^e]*{,/**} wklx,
+ deny /proc/sys/ke[^r]*{,/**} wklx,
+ deny /proc/sys/ker[^n]*{,/**} wklx,
+ deny /proc/sys/kern[^e]*{,/**} wklx,
+ deny /proc/sys/kerne[^l]*{,/**} wklx,
+ deny /proc/sys/kernel/[^smhd]*{,/**} wklx,
+ deny /proc/sys/kernel/d[^o]*{,/**} wklx,
+ deny /proc/sys/kernel/do[^m]*{,/**} wklx,
+ deny /proc/sys/kernel/dom[^a]*{,/**} wklx,
+ deny /proc/sys/kernel/doma[^i]*{,/**} wklx,
+ deny /proc/sys/kernel/domai[^n]*{,/**} wklx,
+ deny /proc/sys/kernel/domain[^n]*{,/**} wklx,
+ deny /proc/sys/kernel/domainn[^a]*{,/**} wklx,
+ deny /proc/sys/kernel/domainna[^m]*{,/**} wklx,
+ deny /proc/sys/kernel/domainnam[^e]*{,/**} wklx,
+ deny /proc/sys/kernel/domainname?*{,/**} wklx,
+ deny /proc/sys/kernel/h[^o]*{,/**} wklx,
+ deny /proc/sys/kernel/ho[^s]*{,/**} wklx,
+ deny /proc/sys/kernel/hos[^t]*{,/**} wklx,
+ deny /proc/sys/kernel/host[^n]*{,/**} wklx,
+ deny /proc/sys/kernel/hostn[^a]*{,/**} wklx,
+ deny /proc/sys/kernel/hostna[^m]*{,/**} wklx,
+ deny /proc/sys/kernel/hostnam[^e]*{,/**} wklx,
+ deny /proc/sys/kernel/hostname?*{,/**} wklx,
+ deny /proc/sys/kernel/m[^s]*{,/**} wklx,
+ deny /proc/sys/kernel/ms[^g]*{,/**} wklx,
+ deny /proc/sys/kernel/msg*/** wklx,
+ deny /proc/sys/kernel/s[^he]*{,/**} wklx,
+ deny /proc/sys/kernel/se[^m]*{,/**} wklx,
+ deny /proc/sys/kernel/sem*/** wklx,
+ deny /proc/sys/kernel/sh[^m]*{,/**} wklx,
+ deny /proc/sys/kernel/shm*/** wklx,
+ deny /proc/sys/kernel?*{,/**} wklx,
+ deny /proc/sys/n[^e]*{,/**} wklx,
+ deny /proc/sys/ne[^t]*{,/**} wklx,
+ deny /proc/sys/net?*{,/**} wklx,
+ deny /sys/[^fdc]*{,/**} wklx,
+ deny /sys/c[^l]*{,/**} wklx,
+ deny /sys/cl[^a]*{,/**} wklx,
+ deny /sys/cla[^s]*{,/**} wklx,
+ deny /sys/clas[^s]*{,/**} wklx,
+ deny /sys/class/[^n]*{,/**} wklx,
+ deny /sys/class/n[^e]*{,/**} wklx,
+ deny /sys/class/ne[^t]*{,/**} wklx,
+ deny /sys/class/net?*{,/**} wklx,
+ deny /sys/class?*{,/**} wklx,
+ deny /sys/d[^e]*{,/**} wklx,
+ deny /sys/de[^v]*{,/**} wklx,
+ deny /sys/dev[^i]*{,/**} wklx,
+ deny /sys/devi[^c]*{,/**} wklx,
+ deny /sys/devic[^e]*{,/**} wklx,
+ deny /sys/device[^s]*{,/**} wklx,
+ deny /sys/devices/[^v]*{,/**} wklx,
+ deny /sys/devices/v[^i]*{,/**} wklx,
+ deny /sys/devices/vi[^r]*{,/**} wklx,
+ deny /sys/devices/vir[^t]*{,/**} wklx,
+ deny /sys/devices/virt[^u]*{,/**} wklx,
+ deny /sys/devices/virtu[^a]*{,/**} wklx,
+ deny /sys/devices/virtua[^l]*{,/**} wklx,
+ deny /sys/devices/virtual/[^n]*{,/**} wklx,
+ deny /sys/devices/virtual/n[^e]*{,/**} wklx,
+ deny /sys/devices/virtual/ne[^t]*{,/**} wklx,
+ deny /sys/devices/virtual/net?*{,/**} wklx,
+ deny /sys/devices/virtual?*{,/**} wklx,
+ deny /sys/devices?*{,/**} wklx,
+ deny /sys/f[^s]*{,/**} wklx,
+ deny /sys/fs/[^c]*{,/**} wklx,
+ deny /sys/fs/c[^g]*{,/**} wklx,
+ deny /sys/fs/cg[^r]*{,/**} wklx,
+ deny /sys/fs/cgr[^o]*{,/**} wklx,
+ deny /sys/fs/cgro[^u]*{,/**} wklx,
+ deny /sys/fs/cgrou[^p]*{,/**} wklx,
+ deny /sys/fs/cgroup?*{,/**} wklx,
+ deny /sys/fs?*{,/**} wklx,
--- /dev/null
+# Last Modified: Wed Sep 3 21:52:03 2014
+
+ #include <abstractions/base>
+ #include <abstractions/consoles>
+ #include <abstractions/nameservice>
+
+ # required for reading disk images
+ capability dac_override,
+ capability dac_read_search,
+ capability chown,
+
+ # needed to drop privileges
+ capability setgid,
+ capability setuid,
+
+ network inet stream,
+ network inet6 stream,
+
+ ptrace (readby, tracedby) peer=/usr/sbin/libvirtd,
+
+ signal (receive) peer=/usr/sbin/libvirtd,
+
+ /dev/net/tun rw,
+ /dev/kvm rw,
+ /dev/ptmx rw,
+ /dev/kqemu rw,
+ @{PROC}/*/status r,
+ # When qemu is signaled to terminate, it will read cmdline of signaling
+ # process for reporting purposes. Allowing read access to a process
+ # cmdline may leak sensitive information embedded in the cmdline.
+ @{PROC}/@{pid}/cmdline r,
+ # Per man(5) proc, the kernel enforces that a thread may
+ # only modify its comm value or those in its thread group.
+ owner @{PROC}/@{pid}/task/@{tid}/comm rw,
+ @{PROC}/sys/kernel/cap_last_cap r,
+
+ # For hostdev access. The actual devices will be added dynamically
+ /sys/bus/usb/devices/ r,
+ /sys/devices/**/usb[0-9]*/** r,
+ # libusb needs udev data about usb devices (~equal to content of lsusb -v)
+ /run/udev/data/c16[6,7]* r,
+ /run/udev/data/c18[0,8,9]* r,
+ /run/udev/data/+usb* r,
+
+ # WARNING: this gives the guest direct access to host hardware and specific
+ # portions of shared memory. This is required for sound using ALSA with kvm,
+ # but may constitute a security risk. If your environment does not require
+ # the use of sound in your VMs, feel free to comment out or prepend 'deny' to
+ # the rules for files in /dev.
+ /{dev,run}/shm r,
+ /{dev,run}/shmpulse-shm* r,
+ /{dev,run}/shmpulse-shm* rwk,
+ /dev/snd/* rw,
+ capability ipc_lock,
+ # spice
+ owner /{dev,run}/shm/spice.* rw,
+ # 'kill' is not required for sound and is a security risk. Do not enable
+ # unless you absolutely need it.
+ deny capability kill,
+
+ # Uncomment the following if you need access to /dev/fb*
+ #/dev/fb* rw,
+
+ /etc/pulse/client.conf r,
+ @{HOME}/.pulse-cookie rwk,
+ owner /root/.pulse-cookie rwk,
+ owner /root/.pulse/ rw,
+ owner /root/.pulse/* rw,
+ /usr/share/alsa/** r,
+ owner /tmp/pulse-*/ rw,
+ owner /tmp/pulse-*/* rw,
+ /var/lib/dbus/machine-id r,
+
+ # access to firmware's etc
+ /usr/share/kvm/** r,
+ /usr/share/qemu/** r,
+ /usr/share/qemu-kvm/** r,
+ /usr/share/bochs/** r,
+ /usr/share/openbios/** r,
+ /usr/share/openhackware/** r,
+ /usr/share/proll/** r,
+ /usr/share/vgabios/** r,
+ /usr/share/seabios/** r,
+ /usr/share/misc/sgabios.bin r,
+ /usr/share/ovmf/** r,
+ /usr/share/OVMF/** r,
+ /usr/share/AAVMF/** r,
+ /usr/share/qemu-efi/** r,
+ /usr/share/slof/** r,
+
+ # pki for libvirt-vnc and libvirt-spice (LP: #901272, #1690140)
+ /etc/pki/CA/ r,
+ /etc/pki/CA/* r,
+ /etc/pki/libvirt{,-spice,-vnc}/ r,
+ /etc/pki/libvirt{,-spice,-vnc}/** r,
+
+ # the various binaries
+ /usr/bin/kvm rmix,
+ /usr/bin/qemu rmix,
+ /usr/bin/qemu-kvm rmix,
+ /usr/bin/qemu-system-aarch64 rmix,
+ /usr/bin/qemu-system-alpha rmix,
+ /usr/bin/qemu-system-arm rmix,
+ /usr/bin/qemu-system-cris rmix,
+ /usr/bin/qemu-system-i386 rmix,
+ /usr/bin/qemu-system-lm32 rmix,
+ /usr/bin/qemu-system-m68k rmix,
+ /usr/bin/qemu-system-microblaze rmix,
+ /usr/bin/qemu-system-microblazeel rmix,
+ /usr/bin/qemu-system-mips rmix,
+ /usr/bin/qemu-system-mips64 rmix,
+ /usr/bin/qemu-system-mips64el rmix,
+ /usr/bin/qemu-system-mipsel rmix,
+ /usr/bin/qemu-system-moxie rmix,
+ /usr/bin/qemu-system-or32 rmix,
+ /usr/bin/qemu-system-ppc rmix,
+ /usr/bin/qemu-system-ppc64 rmix,
+ /usr/bin/qemu-system-ppcemb rmix,
+ /usr/bin/qemu-system-s390x rmix,
+ /usr/bin/qemu-system-sh4 rmix,
+ /usr/bin/qemu-system-sh4eb rmix,
+ /usr/bin/qemu-system-sparc rmix,
+ /usr/bin/qemu-system-sparc64 rmix,
+ /usr/bin/qemu-system-tricore rmix,
+ /usr/bin/qemu-system-unicore32 rmix,
+ /usr/bin/qemu-system-x86_64 rmix,
+ /usr/bin/qemu-system-xtensa rmix,
+ /usr/bin/qemu-system-xtensaeb rmix,
+ /usr/bin/qemu-aarch64 rmix,
+ /usr/bin/qemu-alpha rmix,
+ /usr/bin/qemu-arm rmix,
+ /usr/bin/qemu-armeb rmix,
+ /usr/bin/qemu-cris rmix,
+ /usr/bin/qemu-i386 rmix,
+ /usr/bin/qemu-m68k rmix,
+ /usr/bin/qemu-microblaze rmix,
+ /usr/bin/qemu-microblazeel rmix,
+ /usr/bin/qemu-mips rmix,
+ /usr/bin/qemu-mips64 rmix,
+ /usr/bin/qemu-mips64el rmix,
+ /usr/bin/qemu-mipsel rmix,
+ /usr/bin/qemu-mipsn32 rmix,
+ /usr/bin/qemu-mipsn32el rmix,
+ /usr/bin/qemu-or32 rmix,
+ /usr/bin/qemu-ppc rmix,
+ /usr/bin/qemu-ppc64 rmix,
+ /usr/bin/qemu-ppc64abi32 rmix,
+ /usr/bin/qemu-ppc64le rmix,
+ /usr/bin/qemu-s390x rmix,
+ /usr/bin/qemu-sh4 rmix,
+ /usr/bin/qemu-sh4eb rmix,
+ /usr/bin/qemu-sparc rmix,
+ /usr/bin/qemu-sparc32plus rmix,
+ /usr/bin/qemu-sparc64 rmix,
+ /usr/bin/qemu-unicore32 rmix,
+ /usr/bin/qemu-x86_64 rmix,
+ # for Debian/Ubuntu qemu-block-extra / RPMs qemu-block-* (LP: #1554761)
+ /usr/{lib,lib64}/qemu/*.so mr,
+ /usr/lib/@{multiarch}/qemu/*.so mr,
+
+ # swtpm
+ /{usr/,}bin/swtpm rmix,
+ /usr/{lib,lib64}/libswtpm_libtpms.so mr,
+ /usr/lib/@{multiarch}/libswtpm_libtpms.so mr,
+
+ # for save and resume
+ /{usr/,}bin/dash rmix,
+ /{usr/,}bin/dd rmix,
+ /{usr/,}bin/cat rmix,
+
+ # for restore
+ /{usr/,}bin/bash rmix,
+
+ # for usb access
+ /dev/bus/usb/ r,
+ /etc/udev/udev.conf r,
+ /sys/bus/ r,
+ /sys/class/ r,
+
+ # for rbd
+ /etc/ceph/ceph.conf r,
+
+ # Various functions will need to enumerate /tmp (e.g. ceph), allow the base
+ # dir and a few known functions like samba support.
+ # We want to avoid to give blanket rw permission to everything under /tmp,
+ # users are expected to add site specific addons for more uncommon cases.
+ # Qemu processes usually all run as the same users, so the "owner"
+ # restriction prevents access to other services files, but not across
+ # different instances.
+ # This is a tradeoff between usability and security - if paths would be more
+ # predictable that would be preferred - at least for write rules we would
+ # want more unique paths per rule.
+ /{,var/}tmp/ r,
+ owner /{,var/}tmp/**/ r,
+
+ # for file-posix getting limits since 9103f1ce
+ /sys/devices/**/block/*/queue/max_segments r,
+
+ # for ppc device-tree access
+ @{PROC}/device-tree/ r,
+ @{PROC}/device-tree/** r,
+ /sys/firmware/devicetree/** r,
+
+ # allow connect with openGraphicsFD to work
+ unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),
+
+ # for gathering information about available host resources
+ /sys/devices/system/cpu/ r,
+ /sys/devices/system/node/ r,
+ /sys/devices/system/node/node[0-9]*/meminfo r,
+ /sys/module/vhost/parameters/max_mem_regions r,
+
+ # silence refusals to open lttng files (see LP: #1432644)
+ deny /dev/shm/lttng-ust-wait-* r,
+ deny /run/shm/lttng-ust-wait-* r,
+
+ # for vfio hotplug on systems without static vfio (LP: #1775777)
+ /dev/vfio/vfio rw,
+
+ # required for sasl GSSAPI plugin
+ /etc/gss/mech.d/ r,
+ /etc/gss/mech.d/* r,
--- /dev/null
+# Last Modified: Mon Apr 5 15:10:27 2010
+#include <tunables/global>
+
+profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
+ #include <abstractions/base>
+
+ # needed for searching directories
+ capability dac_override,
+ capability dac_read_search,
+
+ # needed for when disk is on a network filesystem
+ network inet,
+ network inet6,
+
+ deny @{PROC}/[0-9]*/mounts r,
+ @{PROC}/[0-9]*/net/psched r,
+ owner @{PROC}/[0-9]*/status r,
+ @{PROC}/filesystems r,
+
+ /etc/libnl-3/classid r,
+
+ # for hostdev
+ /sys/devices/ r,
+ /sys/devices/** r,
+ /sys/bus/usb/devices/ r,
+ deny /dev/sd* r,
+ deny /dev/vd* r,
+ deny /dev/dm-* r,
+ deny /dev/drbd[0-9]* r,
+ deny /dev/dasd* r,
+ deny /dev/nvme* r,
+ deny /dev/zd[0-9]* r,
+ deny /dev/mapper/ r,
+ deny /dev/mapper/* r,
+
+ /usr/{lib,lib64}/libvirt/virt-aa-helper mr,
+ /{usr/,}sbin/apparmor_parser Ux,
+
+ /etc/apparmor.d/libvirt/* r,
+ /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
+
+ # for backingstore -- allow access to non-hidden files in @{HOME} as well
+ # as storage pools
+ audit deny @{HOME}/.* mrwkl,
+ audit deny @{HOME}/.*/ rw,
+ audit deny @{HOME}/.*/** mrwkl,
+ audit deny @{HOME}/bin/ rw,
+ audit deny @{HOME}/bin/** mrwkl,
+ @{HOME}/ r,
+ @{HOME}/** r,
+ /var/lib/libvirt/images/ r,
+ /var/lib/libvirt/images/** r,
+ /var/lib/nova/instances/_base/* r,
+ /{media,mnt,opt,srv}/** r,
+ # For virt-sandbox
+ /{,var/}run/libvirt/**/[sv]d[a-z] r,
+
+ /**.img r,
+ /**.raw r,
+ /**.qcow{,2} r,
+ /**.qed r,
+ /**.vmdk r,
+ /**.[iI][sS][oO] r,
+ /**/disk{,.*} r,
+
+ #include <local/usr.lib.libvirt.virt-aa-helper>
+}
--- /dev/null
+# Last Modified: Mon Apr 5 15:03:58 2010
+#include <tunables/global>
+@{LIBVIRT}="libvirt"
+
+/usr/sbin/libvirtd flags=(attach_disconnected) {
+ #include <abstractions/base>
+ #include <abstractions/dbus>
+
+ capability kill,
+ capability net_admin,
+ capability net_raw,
+ capability setgid,
+ capability sys_admin,
+ capability sys_module,
+ capability sys_ptrace,
+ capability sys_pacct,
+ capability sys_nice,
+ capability sys_chroot,
+ capability setuid,
+ capability dac_override,
+ capability dac_read_search,
+ capability fowner,
+ capability chown,
+ capability setpcap,
+ capability mknod,
+ capability fsetid,
+ capability audit_write,
+ capability ipc_lock,
+
+ # Needed for vfio
+ capability sys_resource,
+
+ mount options=(rw,rslave) -> /,
+ mount options=(rw, nosuid) -> /{var/,}run/libvirt/qemu/*.dev/,
+
+ # libvirt provides any mounts under /dev to qemu namespaces
+ mount options=(rw, move) /dev/ -> /{,var/}run/libvirt/qemu/*.dev/,
+ mount options=(rw, move) /dev/** -> /{,var/}run/libvirt/qemu/*{,/},
+ mount options=(rw, move) /{,var/}run/libvirt/qemu/*.dev/ -> /dev/,
+ mount options=(rw, move) /{,var/}run/libvirt/qemu/*{,/} -> /dev/**,
+
+ network inet stream,
+ network inet dgram,
+ network inet6 stream,
+ network inet6 dgram,
+ network netlink raw,
+ network packet dgram,
+ network packet raw,
+
+ # for --p2p migrations
+ unix (send, receive) type=stream addr=none peer=(label=unconfined addr=none),
+
+ ptrace (read,trace) peer=unconfined,
+ ptrace (read,trace) peer=/usr/sbin/libvirtd,
+ ptrace (read,trace) peer=/usr/sbin/dnsmasq,
+ ptrace (read,trace) peer=libvirt-*,
+
+ signal (send) peer=/usr/sbin/dnsmasq,
+ signal (read, send) peer=libvirt-*,
+ signal (send) set=("kill", "term") peer=unconfined,
+
+ # For communication/control to qemu-bridge-helper
+ unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd//qemu_bridge_helper),
+ signal (send) set=("term") peer=/usr/sbin/libvirtd//qemu_bridge_helper,
+
+ # allow connect with openGraphicsFD, direction reversed in newer versions
+ unix (send, receive) type=stream addr=none peer=(label=libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*),
+ # unconfined also required if guests run without security module
+ unix (send, receive) type=stream addr=none peer=(label=unconfined),
+
+ # required if guests run unconfined seclabel type='none' but libvirtd is confined
+ signal (read, send) peer=unconfined,
+
+ # Very lenient profile for libvirtd since we want to first focus on confining
+ # the guests. Guests will have a very restricted profile.
+ / r,
+ /** rwmkl,
+
+ /bin/* PUx,
+ /sbin/* PUx,
+ /usr/bin/* PUx,
+ /usr/sbin/virtlogd pix,
+ /usr/sbin/* PUx,
+ /{usr/,}lib/udev/scsi_id PUx,
+ /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
+ /usr/{lib,lib64}/xen/bin/* Ux,
+ /usr/lib/xen-*/bin/libxl-save-helper PUx,
+
+ # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to
+ # read and run an ebtables script.
+ /var/lib/libvirt/virtd* ixr,
+
+ # force the use of virt-aa-helper
+ audit deny /{usr/,}sbin/apparmor_parser rwxl,
+ audit deny /etc/apparmor.d/libvirt/** wxl,
+ audit deny /sys/kernel/security/apparmor/features rwxl,
+ audit deny /sys/kernel/security/apparmor/matching rwxl,
+ audit deny /sys/kernel/security/apparmor/.* rwxl,
+ /sys/kernel/security/apparmor/profiles r,
+ /usr/{lib,lib64}/libvirt/* PUxr,
+ /usr/{lib,lib64}/libvirt/libvirt_parthelper ix,
+ /usr/{lib,lib64}/libvirt/libvirt_iohelper ix,
+ /etc/libvirt/hooks/** rmix,
+ /etc/xen/scripts/** rmix,
+
+ # allow changing to our UUID-based named profiles
+ change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+
+ /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
+ # child profile for bridge helper process
+ profile qemu_bridge_helper {
+ #include <abstractions/base>
+
+ capability setuid,
+ capability setgid,
+ capability setpcap,
+ capability net_admin,
+
+ network inet stream,
+
+ # For communication/control from libvirtd
+ unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),
+ signal (receive) set=("term") peer=/usr/sbin/libvirtd,
+
+ /dev/net/tun rw,
+ /etc/qemu/** r,
+ owner @{PROC}/*/status r,
+
+ /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix,
+ }
+}
projects / libvirt.git / commitdiff