general_initial

apparmor.d/profiles-s-z/sensors

@@ -25,7 +25,7 @@ profile sensors @{exec_path} {
   @{sys}/devices/**/hwmon*/{name,temp*,*_input} r,
   @{sys}/devices/**/hwmon*/**/{name,temp*,*_input} r,
   @{sys}/devices/**/hwmon/hwmon[0-9]*/power[0-9]*_crit r,
-  @{sys}/devices/i2c-[0-9]*/name r,
+  @{sys}/devices/{,platform/*.{i2c,hdmi}/}i2c-[0-9]*/name r,
   @{sys}/devices/pci[0-9]*/**/name r,
   @{sys}/devices/platform/**/power_supply/**/hwmon[0-9]*/curr1_max r,
   @{sys}/devices/virtual/hwmon/hwmon[0-9]* r,

apparmor.d/profiles-s-z/smartctl

@@ -21,5 +21,7 @@ profile smartctl @{exec_path} {
   /usr/share/smartmontools/** r,
   /var/lib/smartmontools/** r,
 
+  @{PROC}/devices r,
+
   include if exists <local/smartctl>
 }

apparmor.d/profiles-s-z/thermald

@@ -13,13 +13,19 @@ profile thermald @{exec_path} {
   include <abstractions/dbus-strict>
 
   capability sys_boot,
+  
+  dbus send bus=system path=/org/freedesktop/DBus
+     interface=org.freedesktop.DBus
+     member={RequestName,ReleaseName}
+     peer=(name=org.freedesktop.DBus, label=dbus-daemon),
+
+  dbus send bus=session path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       member={RequestName,ReleaseName}
+       peer=(name=org.freedesktop.DBus, label=dbus-daemon),
 
   dbus (bind) bus=system
      name=org.freedesktop.thermald,
-  
-  dbus (send) bus=system path=/org/freedesktop/DBus
-     interface=org.freedesktop.DBus
-     member=RequestName,
 
   @{exec_path} mr,
 
@@ -52,6 +58,7 @@ profile thermald @{exec_path} {
   @{sys}/devices/virtual/thermal/thermal_zone[0-9]*/ r,
   @{sys}/devices/virtual/thermal/thermal_zone[0-9]*/trip_point_[0-9]*_temp rw,
   @{sys}/devices/virtual/thermal/thermal_zone[0-9]*/trip_point_[0-9]*_type r,
+  @{sys}/devices/virtual/thermal/thermal_zone[0-9]*/cdev[0-9]*_trip_point r,
 
   @{sys}/devices/virtual/thermal/cooling_device[0-9]*/ r,
   @{sys}/devices/virtual/thermal/cooling_device[0-9]*/cur_state rw,

apparmor.d/profiles-s-z/umount

@@ -8,7 +8,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = /{usr/,}{s,}bin/umount
-profile umount @{exec_path} flags=(complain) {
+profile umount @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
   include <abstractions/disks-read>

apparmor.d/profiles-s-z/virtiofsd

@@ -0,0 +1,46 @@
+# apparmor.d - Full set of apparmor profiles
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{LOCAL_SHARED_DIRS} = /var/lib/libvirt/shared
+
+@{exec_path} = /{,usr/}lib/qemu/virtiofsd
+profile virtiofsd @{exec_path} flags=(attach_disconnected) {
+  include <abstractions/base>
+
+  capability setgid,
+  capability setuid,
+  capability fowner,
+  capability fsetid,
+  capability sys_resource,
+  capability sys_admin,
+  capability setpcap,
+  capability dac_read_search,
+  capability dac_override,
+  capability chown,
+
+  unix (send, receive) type=stream peer=(addr=none, label=libvirt-@{uuid}),
+
+  mount options=(rw, rslave) -> /,
+  umount /,
+  mount options=(rw, nosuid, nodev, noexec, relatime) -> @{PROC},
+  mount options=(rw, bind) @{PROC}/1/fd/ -> @{PROC},
+
+  @{exec_path} r,
+
+  @{PROC}/sys/fs/file-max r,
+
+  owner @{run}/libvirt/qemu/*.pid rw,
+
+  /var/lib/libvirt/qemu/*/fs[0-9]*-fs.sock rw,
+
+  # shared folders
+  mount options=(rw, rbind) -> @{LOCAL_SHARED_DIRS}/,
+  pivot_root @{LOCAL_SHARED_DIRS}/,
+  @{LOCAL_SHARED_DIRS}/ r,
+
+  include if exists <local/virtiofsd>
+}