feat(profiles): general update.

apparmor.d/groups/virt/dockerd

@@ -32,11 +32,13 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
   network inet6 stream,
   network netlink raw,
 
+  mount fstype=overlayfs overlay -> /var/lib/docker/overlay2/*/merged/,
   mount options=(rw, bind) -> /run/docker/netns/*,
   mount options=(rw, rbind) -> /var/lib/docker/overlay*/**/,
   mount options=(rw, rbind) -> /var/lib/docker/tmp/docker-builder[0-9]*/,
   mount options=(rw, rprivate) -> /.pivot_root[0-9]*/,
   mount options=(rw, rslave) -> /,
+
   umount /.pivot_root[0-9]*/,
   umount /run/docker/netns/*,
   umount /var/lib/docker/overlay*/**/,

apparmor.d/groups/virt/virtnetworkd

@@ -15,16 +15,25 @@ profile virtnetworkd @{exec_path} flags=(attach_disconnected) {
   network netlink raw,
 
   ptrace (read) peer=virtqemud,
+  ptrace (read) peer=unconfined,
 
   @{exec_path} mr,
 
   @{bin}/dnsmasq rPx,
 
-        @{run}/utmp rk,
+  /etc/libvirt/libvirt.conf r,
+
+  owner /var/lib/libvirt/dnsmasq/*.macs* rw,
+
+        @{run}/libvirt/network/default.pid r,
         @{run}/systemd/inhibit/*.ref rw,
+        @{run}/utmp rk,
+  owner @{run}/libvirt/common/system.token rwk,
+  owner @{run}/libvirt/network/{,**} rwk,
   owner @{run}/user/@{uid}/libvirt/common/system.token rwk,
   owner @{run}/user/@{uid}/libvirt/network/{,**} rwk,
   owner @{run}/user/@{uid}/libvirt/virtnetworkd* rwk,
+  owner @{run}/virtnetworkd.pid w,
 
   @{sys}/devices/system/node/ r,
   @{sys}/devices/system/node/node@{int}/meminfo r,

apparmor.d/groups/virt/virtnodedevd

@@ -15,22 +15,33 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) {
   include <abstractions/nameservice-strict>
   include <abstractions/openssl>
 
+  capability net_admin,
+  capability sys_admin,
+
   network netlink raw,
 
   ptrace (read) peer=virtqemud,
+  ptrace (read) peer=unconfined,
 
   @{exec_path} mr,
 
   @{bin}/mdevctl rPx,
 
   /usr/share/hwdata/*.ids r,
+  /usr/share/pci.ids r,
 
+  /etc/libvirt/libvirt.conf r,
+  /etc/libvirt/virtnodedevd.conf r,
   /etc/mdevctl.d/{,**} r,
 
         @{run}/systemd/inhibit/*.ref rw,
+  owner @{run}/libvirt/common/system.token rwk,
+  owner @{run}/libvirt/nodedev/ rw,
+  owner @{run}/libvirt/nodedev/driver.pid wk,
   owner @{run}/user/@{uid}/libvirt/common/system.token rwk,
   owner @{run}/user/@{uid}/libvirt/nodedev/{,**} rwk,
   owner @{run}/user/@{uid}/libvirt/virtnodedevd* rwk,
+  owner @{run}/virtnodedevd.pid wk,
 
   @{run}/utmp rk,
 
@@ -49,9 +60,11 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) {
   @{run}/udev/data/c1:[0-9]* r,         # For RAM disk
   @{run}/udev/data/c10:[0-9]* r,        # For non-serial mice, misc features
   @{run}/udev/data/c13:[0-9]* r,        # For /dev/input/*
+  @{run}/udev/data/c21:[0-9]* r,        # Generic SCSI access
   @{run}/udev/data/c29:[0-9]* r,        # For /dev/fb[0-9]*
   @{run}/udev/data/c90:[0-9]* r,        # For RAM, ROM, Flash
   @{run}/udev/data/c116:[0-9]* r,       # For ALSA
+  @{run}/udev/data/c202:[0-9]* r,       # CPU model-specific registers
   @{run}/udev/data/c226:[0-9]* r,       # For /dev/dri/card[0-9]*
   @{run}/udev/data/c23[4-9]:[0-9]* r,   # For dynamic assignment range 234 to 254
   @{run}/udev/data/c24[0-9]:[0-9]* r,
@@ -62,6 +75,7 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) {
   @{run}/udev/data/n[0-9]* r,
 
   @{sys}/**/ r,
+  @{sys}/devices/@{pci}/vpd r,
   @{sys}/devices/**/{class,revision,subsystem_vendor,subsystem_device} r,
   @{sys}/devices/**/{config,device,vendor} r,
   @{sys}/devices/**/uevent r,
@@ -71,13 +85,14 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) {
   @{sys}/devices/pci[0-9]*/**/sriov_totalvfs r,
   @{sys}/devices/system/node/ r,
   @{sys}/devices/system/node/node@{int}/meminfo r,
-  @{sys}/devices/virtual/dmi/id/{product_name,sys_vendor,board_vendor,bios_vendor,bios_date,bios_version,product_version} r,
+  @{sys}/devices/virtual/dmi/id/{product_name,product_serial,product_uuid,sys_vendor,board_vendor,bios_vendor,bios_date,bios_version,product_version} r,
   @{sys}/devices/virtual/net/{,**} r,
   @{sys}/kernel/iommu_groups/ r,
   @{sys}/kernel/iommu_groups/@{int}/devices/ r,
 
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/stat r,
+  owner @{PROC}/mtrr w,
 
   include if exists <local/virtnodedevd>
 }

apparmor.d/groups/virt/virtstoraged

@@ -14,15 +14,32 @@ profile virtstoraged @{exec_path} flags=(attach_disconnected) {
   include <abstractions/nameservice-strict>
   include <abstractions/openssl>
 
+  capability dac_read_search,
+
   network netlink raw,
 
   ptrace (read) peer=virtqemud,
+  ptrace (read) peer=unconfined,
 
   @{exec_path} mr,
 
   @{bin}/qemu-system*  rUx, # TODO: Integration with virt-aa-helper
   @{bin}/qemu-img      rUx, # TODO: Integration with virt-aa-helper
 
+  /etc/libvirt/libvirt.conf r,
+
+  # For disk images
+  @{MOUNTS}/ r,
+  @{user_img_dirs}/{,**} r,
+
+  # System VM images
+  /var/lib/libvirt/images/{,**} rw,
+
+  # User VM images
+  owner @{user_share_dirs}/ r,
+  owner @{user_share_dirs}/libvirt/{,**} rw,
+  owner @{user_vm_dirs}/{,**} rw,
+
   owner @{user_config_dirs}/libvirt/storage/{,**} rw,
 
   owner @{user_share_dirs}/gnome-boxes/images/{,*} rw,
@@ -34,6 +51,10 @@ profile virtstoraged @{exec_path} flags=(attach_disconnected) {
   owner @{run}/user/@{uid}/libvirt/virtstoraged.pid rwk,
   owner @{run}/user/@{uid}/libvirt/storage/{,**} rwk,
 
+  owner @{run}/libvirt/common/system.token rwk,
+  owner @{run}/libvirt/storage/{,**} rwk,
+  owner @{run}/virtstoraged.pid rwk,
+
   @{run}/systemd/inhibit/[0-9]*.ref rw,
   @{run}/utmp rwk,