felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

refactor(profiles): use @{bin} and @{lib} in profiles (3)

Browse source
This commit is contained in:
Alexandre Pujol 2023-07-09 14:09:55 +01:00
parent 2eed3b725f
commit 27daa7c9bb
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
355 changed files with 1473 additions and 1472 deletions
Download patch file Download diff file Expand all files Collapse all files

2
apparmor.d/groups/virt/cni-bandwidth
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/cni/bandwidth /opt/cni/bin/bandwidth
@{exec_path} = @{lib}/cni/bandwidth /opt/cni/bin/bandwidth
profile cni-bandwidth @{exec_path} {
include <abstractions/base>

2
apparmor.d/groups/virt/cni-bridge
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/cni/bridge /opt/cni/bin/bridge
@{exec_path} = @{lib}/cni/bridge /opt/cni/bin/bridge
profile cni-bridge @{exec_path} {
include <abstractions/base>

2
apparmor.d/groups/virt/cni-calico
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/cni/calico /opt/cni/bin/calico
@{exec_path} = @{lib}/cni/calico /opt/cni/bin/calico
profile cni-calico @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>

2
apparmor.d/groups/virt/cni-firewall
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/cni/firewall /opt/cni/bin/firewall
@{exec_path} = @{lib}/cni/firewall /opt/cni/bin/firewall
profile cni-firewall @{exec_path} {
include <abstractions/base>

2
apparmor.d/groups/virt/cni-flannel
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/cni/flannel /opt/cni/bin/flannel
@{exec_path} = @{lib}/cni/flannel /opt/cni/bin/flannel
profile cni-flannel @{exec_path} flags=(complain,attach_disconnected){
include <abstractions/base>

2
apparmor.d/groups/virt/cni-host-local
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/cni/host-local /opt/cni/bin/host-local
@{exec_path} = @{lib}/cni/host-local /opt/cni/bin/host-local
profile cni-host-local @{exec_path} flags=(complain,attach_disconnected){
include <abstractions/base>

2
apparmor.d/groups/virt/cni-loopback
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/cni/loopback /opt/cni/bin/loopback
@{exec_path} = @{lib}/cni/loopback /opt/cni/bin/loopback
profile cni-loopback @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>

4
apparmor.d/groups/virt/cni-portmap
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/cni/portmap /opt/cni/bin/portmap
@{exec_path} = @{lib}/cni/portmap /opt/cni/bin/portmap
profile cni-portmap @{exec_path} {
include <abstractions/base>
@ -15,7 +15,7 @@ profile cni-portmap @{exec_path} {
network netlink raw,
@{exec_path} mr,
/{usr/,}{s,}bin/xtables-nft-multi rPx -> cni-xtables-nft,
@{bin}/xtables-nft-multi rPx -> cni-xtables-nft,
@{PROC}/sys/net/ipv{4,6}/conf/cali[0-9a-z]*/route_localnet rw,

2
apparmor.d/groups/virt/cni-tuning
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/cni/tuning /opt/cni/bin/tuning
@{exec_path} = @{lib}/cni/tuning /opt/cni/bin/tuning
profile cni-tuning @{exec_path} {
include <abstractions/base>

4
apparmor.d/groups/virt/cni-xtables-nft
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/xtables-nft-multi
@{exec_path} = @{bin}/xtables-nft-multi
profile cni-xtables-nft {
include <abstractions/base>
include <abstractions/consoles>
@ -24,7 +24,7 @@ profile cni-xtables-nft {
network netlink raw,
@{exec_path} mr,
/{usr/,}{s,}bin/xtables-legacy-multi mr,
@{bin}/xtables-legacy-multi mr,
/etc/libnl/classid r,
/etc/iptables/{,**} rw,

2
apparmor.d/groups/virt/cockpit-askpass
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/cockpit/cockpit-askpass
@{exec_path} = @{lib}/cockpit/cockpit-askpass
profile cockpit-askpass @{exec_path} {
include <abstractions/base>
include <abstractions/python>

8
apparmor.d/groups/virt/cockpit-bridge
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/cockpit-bridge
@{exec_path} = @{bin}/cockpit-bridge
profile cockpit-bridge @{exec_path} {
include <abstractions/base>
include <abstractions/app-launcher-root>
@ -34,9 +34,9 @@ profile cockpit-bridge @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/journalctl rPx,
/{usr/,}lib/cockpit/cockpit-pcp rPx,
/{usr/,}lib/cockpit/cockpit-ssh rPx,
@{bin}/journalctl rPx,
@{lib}/cockpit/cockpit-pcp rPx,
@{lib}/cockpit/cockpit-ssh rPx,
/usr/share/cockpit/{,**} r,

4
apparmor.d/groups/virt/cockpit-certificate-ensure
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/cockpit/cockpit-certificate-ensure
@{exec_path} = @{lib}/cockpit/cockpit-certificate-ensure
profile cockpit-certificate-ensure @{exec_path} {
include <abstractions/base>
@ -16,7 +16,7 @@ profile cockpit-certificate-ensure @{exec_path} {
@{exec_path} mr,
/{usr/,}lib/cockpit/cockpit-certificate-helper rPx,
@{lib}/cockpit/cockpit-certificate-helper rPx,
/etc/cockpit/ws-certs.d/{,*} r,

18
apparmor.d/groups/virt/cockpit-certificate-helper
View file

@ -6,21 +6,21 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/cockpit/cockpit-certificate-helper
@{exec_path} = @{lib}/cockpit/cockpit-certificate-helper
profile cockpit-certificate-helper @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/id rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/sscg rix,
/{usr/,}bin/tr rix,
@{bin}/{,ba,da}sh rix,
@{bin}/chmod rix,
@{bin}/id rix,
@{bin}/mkdir rix,
@{bin}/mv rix,
@{bin}/rm rix,
@{bin}/sscg rix,
@{bin}/tr rix,
/etc/machine-id r,

2
apparmor.d/groups/virt/cockpit-desktop
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/cockpit/cockpit-desktop
@{exec_path} = @{lib}/cockpit/cockpit-desktop
profile cockpit-desktop @{exec_path} {
include <abstractions/base>

2
apparmor.d/groups/virt/cockpit-pcp
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/cockpit/cockpit-pcp
@{exec_path} = @{lib}/cockpit/cockpit-pcp
profile cockpit-pcp @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>

8
apparmor.d/groups/virt/cockpit-session
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/cockpit/cockpit-session
@{exec_path} = @{lib}/cockpit/cockpit-session
profile cockpit-session @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/authentication>
@ -24,9 +24,9 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/{usr/,}bin/{,z,ba,da}sh rix,
/{usr/,}bin/cockpit-bridge rPx,
/{usr/,}lib/cockpit/cockpit-pcp rPx,
@{bin}/{,z,ba,da}sh rix,
@{bin}/cockpit-bridge rPx,
@{lib}/cockpit/cockpit-pcp rPx,
@{etc_ro}/environment r,
/etc/group r,

2
apparmor.d/groups/virt/cockpit-ssh
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/cockpit/cockpit-ssh
@{exec_path} = @{lib}/cockpit/cockpit-ssh
profile cockpit-ssh @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>

2
apparmor.d/groups/virt/cockpit-tls
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/cockpit/cockpit-tls
@{exec_path} = @{lib}/cockpit/cockpit-tls
profile cockpit-tls @{exec_path} {
include <abstractions/base>

4
apparmor.d/groups/virt/cockpit-ws
View file

@ -6,13 +6,13 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/cockpit/cockpit-ws
@{exec_path} = @{lib}/cockpit/cockpit-ws
profile cockpit-ws @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/{usr/,}lib/cockpit/cockpit-session rPx,
@{lib}/cockpit/cockpit-session rPx,
/usr/share/cockpit/{,**} r,
/usr/share/pixmaps/{,**} r,

2
apparmor.d/groups/virt/cockpit-wsinstance-factory
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/cockpit/cockpit-wsinstance-factory
@{exec_path} = @{lib}/cockpit/cockpit-wsinstance-factory
profile cockpit-wsinstance-factory @{exec_path} {
include <abstractions/base>

13
apparmor.d/groups/virt/containerd
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/containerd
@{exec_path} = @{bin}/containerd
profile containerd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/devices-usb>
@ -45,11 +45,12 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
signal (send) set=kill peer=cni-calico,
@{exec_path} mr,
/{usr/,}{s,}bin/apparmor_parser rPx,
/{usr/,}bin/containerd-shim-runc-v2 rPUx,
/{usr/,}bin/kmod rPx,
/{usr/,}bin/unpigz rPUx,
/{usr/,}{local/,}{s,}bin/zfs rPx,
@{bin}/apparmor_parser rPx,
@{bin}/containerd-shim-runc-v2 rPUx,
@{bin}/kmod rPx,
@{bin}/unpigz rPUx,
/{usr/,}{local/,}{s,}bin/zfs rPx,
/ r,

4
apparmor.d/groups/virt/containerd-shim-runc-v2
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/containerd-shim-runc-v2
@{exec_path} = @{bin}/containerd-shim-runc-v2
profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
@ -29,7 +29,7 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) {
@{exec_path} mrix,
/{usr/,}{s,}bin/runc rPUx,
@{bin}/runc rPUx,
/tmp/runc-process[0-9]* rw,
/tmp/pty[0-9]*/ rw,

2
apparmor.d/groups/virt/docker-proxy
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/docker-proxy
@{exec_path} = @{bin}/docker-proxy
profile docker-proxy @{exec_path} {
include <abstractions/base>

22
apparmor.d/groups/virt/dockerd
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/dockerd
@{exec_path} = @{bin}/dockerd
profile dockerd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-strict>
@ -53,21 +53,21 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
@{exec_path} mrix,
/{usr/,}{s,}bin/apparmor_parser rPx,
/{usr/,}{s,}bin/runc rUx,
/{usr/,}{s,}bin/xtables-nft-multi rix,
/{usr/,}bin/containerd rPx,
/{usr/,}bin/docker-init rix,
/{usr/,}bin/docker-proxy rPx,
/{usr/,}bin/kmod rPx,
/{usr/,}bin/ps rPx,
/{usr/,}bin/unpigz rix,
@{bin}/apparmor_parser rPx,
@{bin}/containerd rPx,
@{bin}/docker-init rix,
@{bin}/docker-proxy rPx,
@{bin}/kmod rPx,
@{bin}/ps rPx,
@{bin}/runc rUx,
@{bin}/unpigz rix,
@{bin}/xtables-nft-multi rix,
# Docker needs full access of the containers it manages.
# TODO: should be in a sub profile started with pivot_root, not supported yet.
/{,**} rwl,
owner /{usr/,}lib/docker/overlay2/*/work/{,**} rw,
owner @{lib}/docker/overlay2/*/work/{,**} rw,
owner /var/lib/docker/{,**} rwk,
owner /var/lib/docker/tmp/qemu-check[0-9]*/check rix,

16
apparmor.d/groups/virt/k3s
View file

@ -56,17 +56,17 @@ profile k3s @{exec_path} flags=(attach_disconnected) {
unix (bind,listen) type=stream addr=@xtables,
@{exec_path} mr,
/{usr/,}bin/kmod rPx,
/{usr/,}bin/mount rPx,
/{usr/,}bin/systemd-run rix,
/{usr/,}bin/{nano,emacs,ed} rPUx,
/{usr/,}bin/vim{,.basic} rPUx,
/{usr/,}{s,}bin/xtables-nft-multi rPx -> cni-xtables-nft,
@{bin}/kmod rPx,
@{bin}/mount rPx,
@{bin}/systemd-run rix,
@{bin}/{nano,emacs,ed} rPUx,
@{bin}/vim{,.basic} rPUx,
@{bin}/xtables-nft-multi rPx -> cni-xtables-nft,
@{libexec}/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds/uds rix,
@{lib}/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds/uds rix,
/var/lib/rancher/k3s/data/@{hex}/bin/* rix,
@{libexec}/kubernetes/kubelet-plugins/volume/exec/{,**} r,
@{lib}/kubernetes/kubelet-plugins/volume/exec/{,**} r,
/usr/share/mime/globs2 r,
/etc/machine-id r,

6
apparmor.d/groups/virt/libvirt-dbus
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/libvirt-dbus
@{exec_path} = @{bin}/libvirt-dbus
profile libvirt-dbus @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
@ -14,8 +14,8 @@ profile libvirt-dbus @{exec_path} {
@{exec_path} mr,
/{usr/,}{s,}bin/libvirtd rPx,
/{usr/,}{s,}bin/virtqemud rPx,
@{bin}/libvirtd rPx,
@{bin}/virtqemud rPx,
/usr/share/dbus-1/interfaces/org.libvirt.*.xml r,

54
apparmor.d/groups/virt/libvirtd
View file

@ -14,7 +14,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/libvirtd
@{exec_path} = @{bin}/libvirtd
profile libvirtd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
@ -90,38 +90,38 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
@{libexec}/libvirt/libvirt_iohelper rix,
@{libexec}/libvirt/libvirt_parthelper rix,
@{lib}/libvirt/libvirt_iohelper rix,
@{lib}/libvirt/libvirt_parthelper rix,
@{libexec}/xen-*/bin/libxl-save-helper rPUx,
@{libexec}/xen-*/bin/pygrub rPUx,
@{lib}/udev/scsi_id rPUx,
@{lib}/xen-*/bin/libxl-save-helper rPUx,
@{lib}/xen-*/bin/pygrub rPUx,
@{lib}/xen-common/bin/xen-toolstack rPUx,
@{lib}/xen/bin/* rPUx,
/{usr/,}{lib,lib64,lib/qemu,libexec}/vhost-user-gpu rPUx,
/{usr/,}{lib,lib64,lib/qemu,libexec}/virtiofsd rux, # TODO: WIP
/{usr/,}lib{,64}/xen-common/bin/xen-toolstack rPUx,
/{usr/,}lib{,64}/xen/bin/* rPUx,
/{usr/,}lib/udev/scsi_id rPUx,
/{usr/,}{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
/{usr/,}{s,}bin/dmidecode rPx,
/{usr/,}{s,}bin/dnsmasq rPx,
/{usr/,}{s,}bin/virtiofsd rux, # TODO: WIP
/{usr/,}{s,}bin/virtlogd rPx,
/{usr/,}bin/lvm rUx,
/{usr/,}bin/mdevctl rPx,
/{usr/,}bin/swtpm rPx,
/{usr/,}bin/swtpm_ioctl rPx,
/{usr/,}bin/swtpm_setup rPx,
/{usr/,}bin/udevadm rPx,
@{bin}/dmidecode rPx,
@{bin}/dnsmasq rPx,
@{bin}/lvm rPUx,
@{bin}/mdevctl rPx,
@{bin}/swtpm rPx,
@{bin}/swtpm_ioctl rPx,
@{bin}/swtpm_setup rPx,
@{bin}/udevadm rPx,
@{bin}/virtiofsd rux, # TODO: WIP
@{bin}/virtlogd rPx,
/{usr/,}{s,}bin/xtables-nft-multi rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/ip rix,
/{usr/,}bin/tc rix,
/{usr/,}bin/xmllint rix,
/{usr/,}bin/qemu-system* rUx, # TODO: Integration with virt-aa-helper
/{usr/,}bin/qemu-img rUx, # TODO: Integration with virt-aa-helper
/{usr/,}lib/libvirt/virt-aa-helper rPx,
@{bin}/{,ba,da}sh rix,
@{bin}/ip rix,
@{bin}/qemu-img rUx, # TODO: Integration with virt-aa-helper
@{bin}/qemu-system* rUx, # TODO: Integration with virt-aa-helper
@{bin}/tc rix,
@{bin}/xmllint rix,
@{bin}/xtables-nft-multi rix,
@{lib}/libvirt/virt-aa-helper rPx,
/etc/libvirt/hooks/** rPUx,
/etc/xen/scripts/** rmix,
@ -258,7 +258,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
/dev/ptmx rw,
# Force the use of virt-aa-helper
audit deny /{usr/,}{s,}bin/apparmor_parser rwxl,
audit deny @{bin}/apparmor_parser rwxl,
audit deny @{etc_rw}/apparmor.d/libvirt/** wxl,
audit deny @{sys}/kernel/security/apparmor/features rwxl,
audit deny @{sys}/kernel/security/apparmor/matching rwxl,

4
apparmor.d/groups/virt/virt-aa-helper
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/libvirt/virt-aa-helper
@{exec_path} = @{lib}/libvirt/virt-aa-helper
profile virt-aa-helper @{exec_path} {
include <abstractions/base>
include <abstractions/openssl>
@ -20,7 +20,7 @@ profile virt-aa-helper @{exec_path} {
@{exec_path} mr,
/{usr/,}{s,}bin/apparmor_parser rPx,
@{bin}/apparmor_parser rPx,
/etc/apparmor.d/libvirt/* r,
@{etc_rw}/apparmor.d/libvirt/libvirt-@{uuid} rw,

6
apparmor.d/groups/virt/virtinterfaced
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/virtinterfaced
@{exec_path} = @{bin}/virtinterfaced
profile virtinterfaced @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/nameservice-strict>
@ -18,8 +18,8 @@ profile virtinterfaced @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/{usr/,}lib/gconv/gconv-modules rm,
/{usr/,}lib/gconv/gconv-modules.d/{,*} r,
@{lib}/gconv/gconv-modules rm,
@{lib}/gconv/gconv-modules.d/{,*} r,
@{run}/systemd/inhibit/*.ref rw,
owner @{run}/user/@{uid}/libvirt/common/system.token rwk,

2
apparmor.d/groups/virt/virtiofsd
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/qemu/virtiofsd /{usr/,}{s,}bin/virtiofsd
@{exec_path} = @{lib}/qemu/virtiofsd @{bin}/virtiofsd
profile virtiofsd @{exec_path} {
include <abstractions/base>

2
apparmor.d/groups/virt/virtlockd
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/virtlockd
@{exec_path} = @{bin}/virtlockd
profile virtlockd @{exec_path} {
include <abstractions/base>

2
apparmor.d/groups/virt/virtlogd
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/virtlogd
@{exec_path} = @{bin}/virtlogd
profile virtlogd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/nameservice-strict>

4
apparmor.d/groups/virt/virtnetworkd
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/virtnetworkd
@{exec_path} = @{bin}/virtnetworkd
profile virtnetworkd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/openssl>
@ -18,7 +18,7 @@ profile virtnetworkd @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/{usr/,}bin/dnsmasq rPx,
@{bin}/dnsmasq rPx,
@{run}/utmp rk,
@{run}/systemd/inhibit/*.ref rw,

4
apparmor.d/groups/virt/virtnodedevd
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/virtnodedevd
@{exec_path} = @{bin}/virtnodedevd
profile virtnodedevd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/devices-usb>
@ -21,7 +21,7 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/{usr/,}bin/mdevctl rPx,
@{bin}/mdevctl rPx,
/usr/share/hwdata/*.ids r,

2
apparmor.d/groups/virt/virtsecretd
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/virtsecretd
@{exec_path} = @{bin}/virtsecretd
profile virtsecretd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/nameservice-strict>

6
apparmor.d/groups/virt/virtstoraged
View file

@ -8,7 +8,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/virtstoraged
@{exec_path} = @{bin}/virtstoraged
profile virtstoraged @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/nameservice-strict>
@ -20,8 +20,8 @@ profile virtstoraged @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/{usr/,}bin/qemu-system* rUx, # TODO: Integration with virt-aa-helper
/{usr/,}bin/qemu-img rUx, # TODO: Integration with virt-aa-helper
@{bin}/qemu-system* rUx, # TODO: Integration with virt-aa-helper
@{bin}/qemu-img rUx, # TODO: Integration with virt-aa-helper
owner @{user_config_dirs}/libvirt/storage/{,**} rw,