feat(profiles): general update.

2022-11-29 12:02:38 +00:00 · 2022-11-29 12:02:38 +00:00 · 1e5d90afe8
commit 1e5d90afe8
parent d52a7bd52a
19 changed files with 78 additions and 37 deletions
--- a/apparmor.d/groups/virt/dockerd
+++ b/apparmor.d/groups/virt/dockerd
@ -21,6 +21,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
  capability kill,
  capability mknod,
  capability net_admin,
+  capability setfcap,
  capability sys_admin,
  capability sys_chroot,
  capability sys_ptrace,
@ -60,12 +61,12 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
  /{usr/,}bin/ps                      rPx,
  /{usr/,}bin/unpigz                  rix,

-  # Docker needs full access of its containers.
+  # Docker needs full access of the containers it manage.
  # TODO: should be in a sub profile started with pivot_root, not supported yet.
-  /{,**} rw,
-  deny /boot/{,**} rw,
-  deny /media/{,**} rw,
-  deny /mnt/{,**} rw,
+  /{,**} rwl,
+  deny /boot/{,**} rwl,
+  deny /media/{,**} rwl,
+  deny /mnt/{,**} rwl,

  owner /{usr/,}lib/docker/overlay2/*/work/{,**} rw,
  owner /var/lib/docker/{,**} rwk,
--- a/apparmor.d/groups/virt/libvirtd
+++ b/apparmor.d/groups/virt/libvirtd
@ -126,7 +126,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
  /etc/xen/scripts/**      rmix,
  /var/lib/libvirt/virtd*  rix,

-  /usr/share/edk2-ovmf/{,**} r,
+  /usr/share/edk2*/{,**} rk,
  /usr/share/hwdata/* r,
  /usr/share/libvirt/{,**} r,
  /usr/share/mime/mime.cache r,
@ -135,6 +135,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
  @{etc_rw}/apparmor.d/libvirt/libvirt-@{uuid} r,
  @{etc_rw}/libvirt/{,**} rw,
  /etc/mdevctl.d/{,**} r,
+  /etc/sasl2/qemu.conf r,
  /etc/xml/catalog r,

  /var/cache/libvirt/{,**} rw,
@ -206,6 +207,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
  @{sys}/kernel/security/apparmor/profiles r,

  @{sys}/module/kvm_intel/parameters/nested r,
+  @{sys}/module/vhost/parameters/max_mem_regions r,

  @{sys}/fs/cgroup/ r,
  @{sys}/fs/cgroup/cgroup.controllers r,
@ -229,6 +231,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/mounts r,
  owner @{PROC}/@{pid}/net/ip_tables_names r,
+  owner @{PROC}/@{pid}/task/@{tid}/comm rw,

  /dev/dri/ r,
  /dev/hugepages/{,**} w,
@ -239,6 +242,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
  /dev/shm/libvirt/{,**} rw,
  /dev/vfio/[0-9]* rwk,
  /dev/vhost-net rw,
+  /dev/ptmx rw,

  # Force the use of virt-aa-helper
  audit deny /{usr/,}{s,}bin/apparmor_parser rwxl,