github.com/mirantis/virtlet@v1.5.2-0.20191204181327-1659b8a48e9b/deploy/apparmor/libvirtd (about) 1 # Profile is based on the upstream libvirt profile 2 #include <tunables/global> 3 4 profile libvirtd flags=(attach_disconnected) { 5 #include <abstractions/base> 6 #include <abstractions/dbus> 7 8 capability kill, 9 capability net_admin, 10 capability net_raw, 11 capability setgid, 12 capability sys_admin, 13 capability sys_module, 14 capability sys_ptrace, 15 capability sys_nice, 16 capability sys_chroot, 17 capability setuid, 18 capability dac_override, 19 capability dac_read_search, 20 capability fowner, 21 capability chown, 22 capability setpcap, 23 capability mknod, 24 capability fsetid, 25 capability ipc_lock, 26 capability audit_write, 27 28 # Needed for vfio 29 capability sys_resource, 30 31 network inet stream, 32 network inet dgram, 33 network inet6 stream, 34 network inet6 dgram, 35 network packet dgram, 36 network netlink, 37 38 dbus bus=system, 39 signal, 40 ptrace, 41 unix, 42 43 allow mount, 44 allow umount, 45 46 # for now, use a very lenient profile since we want to first focus on 47 # confining the guests 48 / r, 49 /** rwmkl, 50 51 /bin/* PUx, 52 /sbin/* PUx, 53 /usr/bin/* PUx, 54 /usr/sbin/* PUx, 55 /lib/udev/scsi_id PUx, 56 /usr/lib/xen-common/bin/xen-toolstack PUx, 57 /usr/lib/xen-*/bin/pygrub PUx, 58 /usr/lib/xen-*/bin/libxl-save-helper PUx, 59 60 # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to 61 # write and run an ebtables script. 62 /var/lib/libvirt/virtd* ixr, 63 64 /etc/libvirt/hooks/** rmix, 65 /etc/xen/scripts/** rmix, 66 /usr/lib/libvirt/* PUxr, 67 /usr/sbin/libvirtd rix, 68 69 /sys/kernel/security/apparmor/profiles r, 70 71 /vmwrapper rix, 72 }