My apparmor libvirt-qemu

1. # Last Modified: Wed Jul  8 09:57:41 2009
2.  
3.   #include <abstractions/base>
4.   #include <abstractions/consoles>
5.   #include <abstractions/nameservice>
6.  
7.   # required for reading disk images
8.   capability dac_override,
9.   capability dac_read_search,
10.   capability chown,
11.  
12.   # needed to drop privileges
13.   capability setgid,
14.   capability setuid,
15.  
16.   # this is needed with libcap-ng support, however it breaks a lot of things
17.   # atm, so just silence the denial until libcap-ng works right. LP: #522845
18.   deny capability setpcap,
19.  
20.   network inet stream,
21.   network inet6 stream,
22.  
23.   /dev/net/tun rw,
24.   /dev/tap* rw,
25.   /dev/kvm rw,
26.   /dev/ptmx rw,
27.   /dev/kqemu rw,
28.   @{PROC}/*/status r,
29.   @{PROC}/sys/kernel/cap_last_cap r,
30.   owner @{PROC}/*/auxv r,
31.   @{PROC}/sys/vm/overcommit_memory r,
32.  
33.   /sys/devices/system/node/ r,
34.   /sys/devices/system/node/node[0-9]*/meminfo r,
35.   /sys/devices/system/cpu/ r,
36.  
37.   /sys/module/vhost/parameters/max_mem_regions r,
38.  
39.   # For hostdev access. The actual devices will be added dynamically
40.   /sys/bus/usb/devices/ r,
41.   /sys/devices/**/usb[0-9]*/** r,
42.  
43.   # WARNING: this gives the guest direct access to host hardware and specific
44.   # portions of shared memory. This is required for sound using ALSA with kvm,
45.   # but may constitute a security risk. If your environment does not require
46.   # the use of sound in your VMs, feel free to comment out or prepend 'deny' to
47.   # the rules for files in /dev.
48.   /{dev,run}/shm r,
49.   /{dev,run}/shmpulse-shm* r,
50.   /{dev,run}/shmpulse-shm* rwk,
51.   /dev/snd/* rw,
52.   capability ipc_lock,
53.   # spice
54.   /usr/bin/qemu-system-i386-spice rmix,
55.   /usr/bin/qemu-system-x86_64-spice rmix,
56.   /{dev,run}/shm/ r,
57.   owner /{dev,run}/shm/spice.* rw,
58.   # 'kill' is not required for sound and is a security risk. Do not enable
59.   # unless you absolutely need it.
60.   deny capability kill,
61.  
62.   # Uncomment the following if you need access to /dev/fb*
63.   #/dev/fb* rw,
64.  
65.   /etc/pulse/client.conf r,
66.   @{HOME}/.pulse-cookie rwk,
67.   # Only necessary if running as root, which we no longer are
68.   #owner /root/.pulse-cookie rwk,
69.   #owner /root/.pulse/ rw,
70.   #owner /root/.pulse/* rw,
71.   /usr/share/alsa/** r,
72.   owner /tmp/pulse-*/ rw,
73.   owner /tmp/pulse-*/* rw,
74.   /var/lib/dbus/machine-id r,
75.   @{HOME}/.pulse/** rw,
76.   #Hugepages and vfio
77.   /dev/vfio/* rw,
78.   /dev/hugepages/libvirt** rw,
79.  
80.   # access to firmware's etc
81.   /usr/share/kvm/** r,
82.   /usr/share/qemu/** r,
83.   /usr/share/bochs/** r,
84.   /usr/share/openbios/** r,
85.   /usr/share/openhackware/** r,
86.   /usr/share/proll/** r,
87.   /usr/share/vgabios/** r,
88.   /usr/share/seabios/** r,
89.   /usr/share/misc/sgabios.bin r,
90.   /usr/share/ovmf/** r,
91.   /usr/share/slof/** r,
92.  
93.   # access PKI infrastructure
94.   /etc/pki/libvirt-vnc/** r,
95.  
96.   # the various binaries
97.   /usr/bin/kvm rmix,
98.   /usr/bin/qemu rmix,
99.   /usr/bin/qemu-system-aarch64 rmix,
100.   /usr/bin/qemu-system-alpha rmix,
101.   /usr/bin/qemu-system-arm rmix,
102.   /usr/bin/qemu-system-cris rmix,
103.   /usr/bin/qemu-system-i386 rmix,
104.   /usr/bin/qemu-system-lm32 rmix,
105.   /usr/bin/qemu-system-m68k rmix,
106.   /usr/bin/qemu-system-microblaze rmix,
107.   /usr/bin/qemu-system-microblazeel rmix,
108.   /usr/bin/qemu-system-mips rmix,
109.   /usr/bin/qemu-system-mips64 rmix,
110.   /usr/bin/qemu-system-mips64el rmix,
111.   /usr/bin/qemu-system-mipsel rmix,
112.   /usr/bin/qemu-system-moxie rmix,
113.   /usr/bin/qemu-system-or32 rmix,
114.   /usr/bin/qemu-system-ppc rmix,
115.   /usr/bin/qemu-system-ppc64 rmix,
116.   /usr/bin/qemu-system-ppc64le rmix,
117.   /usr/bin/qemu-system-ppcemb rmix,
118.   /usr/bin/qemu-system-s390x rmix,
119.   /usr/bin/qemu-system-sh4 rmix,
120.   /usr/bin/qemu-system-sh4eb rmix,
121.   /usr/bin/qemu-system-sparc rmix,
122.   /usr/bin/qemu-system-sparc64 rmix,
123.   /usr/bin/qemu-system-tricore rmix,
124.   /usr/bin/qemu-system-unicore32 rmix,
125.   /usr/bin/qemu-system-x86_64 rmix,
126.   /usr/bin/qemu-system-x86_64-spice rmix,
127.   /usr/bin/qemu-system-xtensa rmix,
128.   /usr/bin/qemu-system-xtensaeb rmix,
129.   /usr/bin/qemu-aarch64 rmix,
130.   /usr/bin/qemu-alpha rmix,
131.   /usr/bin/qemu-arm rmix,
132.   /usr/bin/qemu-armeb rmix,
133.   /usr/bin/qemu-cris rmix,
134.   /usr/bin/qemu-i386 rmix,
135.   /usr/bin/qemu-m68k rmix,
136.   /usr/bin/qemu-microblaze rmix,
137.   /usr/bin/qemu-microblazeel rmix,
138.   /usr/bin/qemu-mips rmix,
139.   /usr/bin/qemu-mipsel rmix,
140.   /usr/bin/qemu-mips64 rmix,
141.   /usr/bin/qemu-mips64el rmix,
142.   /usr/bin/qemu-mipsn32 rmix,
143.   /usr/bin/qemu-mipsn32el rmix,
144.   /usr/bin/qemu-or32 rmix,
145.   /usr/bin/qemu-ppc rmix,
146.   /usr/bin/qemu-ppc64 rmix,
147.   /usr/bin/qemu-ppc64abi32 rmix,
148.   /usr/bin/qemu-ppc64le rmix,
149.   /usr/bin/qemu-s390x rmix,
150.   /usr/bin/qemu-sh4 rmix,
151.   /usr/bin/qemu-sh4eb rmix,
152.   /usr/bin/qemu-sparc rmix,
153.   /usr/bin/qemu-sparc64 rmix,
154.   /usr/bin/qemu-sparc32plus rmix,
155.   /usr/bin/qemu-sparc64 rmix,
156.   /usr/bin/qemu-unicore32 rmix,
157.   /usr/bin/qemu-x86_64 rmix,
158.  
159.   # for save and resume
160.   /bin/dash rmix,
161.   /bin/dd rmix,
162.   /bin/cat rmix,
163.   /etc/pki/CA/ r,
164.   /etc/pki/CA/* r,
165.   /etc/pki/libvirt/ r,
166.   /etc/pki/libvirt/** r,
167.  
168.   # kvm.powerpc executes this
169.   /bin/uname rmix,
170.  
171.   # for rbd
172.   /etc/ceph/ceph.conf r,
173.  
174.   # for qemu-block-extra
175.   /usr/lib/@{multiarch}/qemu/*.so rm,
176.  
177.   # for access to hugepages
178.   owner "/run/hugepages/kvm/libvirt/qemu/**" rw,
179.   owner "/dev/hugepages/libvirt/qemu/**" rw,
180.  
181.   # for usb access
182.   /dev/bus/usb/ r,
183.   /etc/udev/udev.conf r,
184.   /sys/bus/ r,
185.   /sys/class/ r,
186.  
187.   signal (receive) peer=/usr/sbin/libvirtd,
188.   ptrace (tracedby) peer=/usr/sbin/libvirtd,
189.  
190.   # for ppc device-tree access
191.   @{PROC}/device-tree/ r,
192.   @{PROC}/device-tree/** r,
193.   /sys/firmware/devicetree/** r,
194.  
195.   # allow access to charm-specific ceph config (see lp#1403648)
196.   /var/lib/charm/*/ceph.conf r,
197.   # silence spurious denials (see lp#1403648)
198.   deny /tmp/{,**} r,
199.   deny /var/tmp/{,**} r,
200.  
201.   # silence refusals to open lttng files (see lp#1432644)
202.   deny /dev/shm/lttng-ust-wait-* r,
203.   deny /run/shm/lttng-ust-wait-* r,
204.  
205.   # allow serial console backed by pts chardev (LP: #1342083)
206.   /usr/lib/pt_chown ix,
207.   owner @{PROC}/0-9*/fd/ r,
208.  
209.   /usr/{lib,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
210.   # child profile for bridge helper process
211.   profile qemu_bridge_helper {
212.    #include <abstractions/base>
213.  
214.    capability setuid,
215.    capability setgid,
216.    capability setpcap,
217.    capability net_admin,
218.  
219.    # for 9p
220.    capability fsetid,
221.    capability fowner,
222.  
223.    network inet stream,
224.  
225.    /dev/net/tun rw,
226.    /etc/qemu/** r,
227.    owner @{PROC}/*/status r,
228.  
229.    /usr/{lib,libexec}/qemu-bridge-helper rmix,
230.   }