Profiles update.

2021-09-26 17:28:26 +01:00 · 2021-09-26 17:28:26 +01:00 · 18e4745fb1
commit 18e4745fb1
parent 937171d40c
27 changed files with 103 additions and 67 deletions
--- a/apparmor.d/groups/virt/libvirtd
+++ b/apparmor.d/groups/virt/libvirtd
@ -84,22 +84,20 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
  / r,
  /** rwmkl,

-  /bin/* PUx,
-  /sbin/* PUx,
-  /usr/bin/* PUx,
+  /{usr/,}bin/* rPUx,
+  /{usr/,}sbin/* rPUx,
  /{usr/,}{,s}bin/virtlogd rPx,
-  /usr/sbin/* PUx,
-  /{usr/,}lib/udev/scsi_id PUx,
-  /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
-  /usr/{lib,lib64}/xen/bin/* Ux,
-  @{libexec}/xen-*/bin/libxl-save-helper PUx,
-  @{libexec}/xen-*/bin/pygrub PUx,
-  /usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu PUx,
-  /usr/{lib,lib64,lib/qemu,libexec}/virtiofsd PUx,
+  /{usr/,}lib/udev/scsi_id rPUx,
+  /usr/{lib,lib64}/xen-common/bin/xen-toolstack rPUx,
+  /usr/{lib,lib64}/xen/bin/* rUx,
+  @{libexec}/xen-*/bin/libxl-save-helper rPUx,
+  @{libexec}/xen-*/bin/pygrub rPUx,
+  /usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu rPUx,
+  /usr/{lib,lib64,lib/qemu,libexec}/virtiofsd rPUx,

  # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to
  # read and run an ebtables script.
-  /var/lib/libvirt/virtd* ixr,
+  /var/lib/libvirt/virtd* rix,

  # force the use of virt-aa-helper
  audit deny /{usr/,}{s,}bin/apparmor_parser rwxl,
@ -108,7 +106,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
  audit deny /sys/kernel/security/apparmor/matching rwxl,
  audit deny /sys/kernel/security/apparmor/.* rwxl,
  /sys/kernel/security/apparmor/profiles r,
-  /usr/lib/libvirt/* PUxr,
+  /usr/lib/libvirt/* rPUx,
  /usr/lib/libvirt/libvirt_parthelper ix,
  /usr/lib/libvirt/libvirt_iohelper ix,
  /etc/libvirt/hooks/** rmix,