%PDF- %PDF-
Mini Shell

Mini Shell

Direktori : /etc/apparmor.d/
Upload File :
Create Path :
Current File : //etc/apparmor.d/usr.sbin.libvirtd

# Last Modified: Mon Apr  5 15:03:58 2010
#include <tunables/global>
@{LIBVIRT}="libvirt"

/usr/sbin/libvirtd flags=(attach_disconnected) {
  #include <abstractions/base>
  #include <abstractions/dbus>

  capability kill,
  capability net_admin,
  capability net_raw,
  capability setgid,
  capability sys_admin,
  capability sys_module,
  capability sys_ptrace,
  capability sys_pacct,
  capability sys_nice,
  capability sys_chroot,
  capability setuid,
  capability dac_override,
  capability dac_read_search,
  capability fowner,
  capability chown,
  capability setpcap,
  capability mknod,
  capability fsetid,
  capability audit_write,
  capability ipc_lock,

  # Needed for vfio
  capability sys_resource,

  mount options=(rw,rslave)  -> /,
  mount options=(rw, nosuid) -> /{var/,}run/libvirt/qemu/*.dev/,

  mount options=(rw, move) /dev/           -> /{var/,}run/libvirt/qemu/*.dev/,
  mount options=(rw, move) /dev/hugepages/ -> /{var/,}run/libvirt/qemu/*.hugepages/,
  mount options=(rw, move) /dev/mqueue/    -> /{var/,}run/libvirt/qemu/*.mqueue/,
  mount options=(rw, move) /dev/pts/       -> /{var/,}run/libvirt/qemu/*.pts/,
  mount options=(rw, move) /dev/shm/       -> /{var/,}run/libvirt/qemu/*.shm/,

  mount options=(rw, move) /{var/,}run/libvirt/qemu/*.dev/       -> /dev/,
  mount options=(rw, move) /{var/,}run/libvirt/qemu/*.hugepages/ -> /dev/hugepages/,
  mount options=(rw, move) /{var/,}run/libvirt/qemu/*.mqueue/    -> /dev/mqueue/,
  mount options=(rw, move) /{var/,}run/libvirt/qemu/*.pts/       -> /dev/pts/,
  mount options=(rw, move) /{var/,}run/libvirt/qemu/*.shm/       -> /dev/shm/,

  network inet stream,
  network inet dgram,
  network inet6 stream,
  network inet6 dgram,
  network netlink raw,
  network packet dgram,
  network packet raw,

  # for --p2p migrations
  unix (send, receive) type=stream addr=none peer=(label=unconfined addr=none),

  ptrace (read,trace) peer=unconfined,
  ptrace (read,trace) peer=/usr/sbin/libvirtd,
  ptrace (read,trace) peer=/usr/sbin/dnsmasq,
  ptrace (read,trace) peer=libvirt-*,

  signal (send) peer=/usr/sbin/dnsmasq,
  signal (read, send) peer=libvirt-*,
  signal (send) set=("kill", "term") peer=unconfined,

  # Since libvirt 4.0 we also need the reverse direction (LP: #1741617)
  unix (send, receive) type=stream addr=none peer=(label=libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*),
  # unconfined also required if guests run without security module
  unix (send, receive) type=stream addr=none peer=(label=unconfined),

  # required if guests run unconfined seclabel type='none' but libvirtd is confined
  signal (read, send) peer=unconfined,

  # Very lenient profile for libvirtd since we want to first focus on confining
  # the guests. Guests will have a very restricted profile.
  / r,
  /** rwmkl,

  /bin/* PUx,
  /sbin/* PUx,
  /usr/bin/* PUx,
  /usr/sbin/virtlogd pix,
  /usr/sbin/* PUx,
  /{usr/,}lib/udev/scsi_id PUx,
  /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
  /usr/{lib,lib64}/xen/bin/* Ux,
  /usr/lib/xen-*/bin/libxl-save-helper PUx,
  /usr/lib/xen-*/bin/pygrub PUx,

  # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to
  # read and run an ebtables script.
  /var/lib/libvirt/virtd* ixr,

  # force the use of virt-aa-helper
  audit deny /{usr/,}sbin/apparmor_parser rwxl,
  audit deny /etc/apparmor.d/libvirt/** wxl,
  audit deny /sys/kernel/security/apparmor/features rwxl,
  audit deny /sys/kernel/security/apparmor/matching rwxl,
  audit deny /sys/kernel/security/apparmor/.* rwxl,
  /sys/kernel/security/apparmor/profiles r,
  /usr/{lib,lib64}/libvirt/* PUxr,
  /usr/{lib,lib64}/libvirt/libvirt_parthelper ix,
  /usr/{lib,lib64}/libvirt/libvirt_iohelper ix,
  /etc/libvirt/hooks/** rmix,
  /etc/xen/scripts/** rmix,

  # allow changing to our UUID-based named profiles
  change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,

  /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
  # child profile for bridge helper process
  profile qemu_bridge_helper {
   #include <abstractions/base>

   capability setuid,
   capability setgid,
   capability setpcap,
   capability net_admin,

   network inet stream,

   /dev/net/tun rw,
   /etc/qemu/** r,
   owner @{PROC}/*/status r,

   /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix,
  }
  
  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.sbin.libvirtd>
}

Zerion Mini Shell 1.0