feat(profile): update virt profiles.
This commit is contained in:
Alexandre Pujol
parent
5e5fde7741
commit
c806ec44eb
8 changed files with 66 additions and 12 deletions
|
|
@ -9,6 +9,8 @@ include <tunables/global>
|
||||||
@{exec_path} = @{bin}/cockpit-bridge
|
@{exec_path} = @{bin}/cockpit-bridge
|
||||||
profile cockpit-bridge @{exec_path} {
|
profile cockpit-bridge @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
|
include <abstractions/bus-session>
|
||||||
|
include <abstractions/bus-system>
|
||||||
include <abstractions/consoles>
|
include <abstractions/consoles>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/python>
|
include <abstractions/python>
|
||||||
|
|
@ -33,6 +35,9 @@ profile cockpit-bridge @{exec_path} {
|
||||||
signal send set=term peer=unconfined,
|
signal send set=term peer=unconfined,
|
||||||
signal (send receive) set=term peer=cockpit-bridge//sudo,
|
signal (send receive) set=term peer=cockpit-bridge//sudo,
|
||||||
|
|
||||||
|
#aa:dbus talk bus=session name=org.libvirt label=libvirt-dbus
|
||||||
|
#aa:dbus talk bus=system name=org.freedesktop.PackageKit path=/** label=packagekitd
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
@{bin}/cat ix,
|
@{bin}/cat ix,
|
||||||
|
|
@ -126,6 +131,8 @@ profile cockpit-bridge @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/app/udevadm>
|
include <abstractions/app/udevadm>
|
||||||
|
|
||||||
|
@{run}/udev/data/n@{int} r, # For network interfaces
|
||||||
|
|
||||||
include if exists <local/cockpit-bridge_udevadm>
|
include if exists <local/cockpit-bridge_udevadm>
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -14,10 +14,12 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/shells>
|
include <abstractions/shells>
|
||||||
|
|
||||||
capability audit_write,
|
capability audit_write,
|
||||||
|
capability chown,
|
||||||
capability dac_read_search,
|
capability dac_read_search,
|
||||||
capability net_admin,
|
capability net_admin,
|
||||||
capability setgid,
|
capability setgid,
|
||||||
capability setuid,
|
capability setuid,
|
||||||
|
capability sys_resource,
|
||||||
|
|
||||||
network netlink raw,
|
network netlink raw,
|
||||||
|
|
||||||
|
|
@ -26,6 +28,7 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) {
|
||||||
@{shells_path} rix,
|
@{shells_path} rix,
|
||||||
@{bin}/cockpit-bridge rPx,
|
@{bin}/cockpit-bridge rPx,
|
||||||
@{lib}/cockpit/cockpit-pcp rPx,
|
@{lib}/cockpit/cockpit-pcp rPx,
|
||||||
|
@{bin}/ssh-agent rPx,
|
||||||
|
|
||||||
@{etc_ro}/environment r,
|
@{etc_ro}/environment r,
|
||||||
@{etc_ro}/security/limits.d/{,*.conf} r,
|
@{etc_ro}/security/limits.d/{,*.conf} r,
|
||||||
|
|
@ -47,6 +50,10 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) {
|
||||||
/var/log/lastlog rw,
|
/var/log/lastlog rw,
|
||||||
/var/log/wtmp rwk,
|
/var/log/wtmp rwk,
|
||||||
|
|
||||||
|
/var/lib/lastlog/ r,
|
||||||
|
/var/lib/lastlog/lastlog2.db rwk,
|
||||||
|
/var/lib/lastlog/lastlog2.db-journal rw,
|
||||||
|
|
||||||
owner @{PROC}/@{pid}/loginuid rw,
|
owner @{PROC}/@{pid}/loginuid rw,
|
||||||
owner @{PROC}/@{pid}/uid_map r,
|
owner @{PROC}/@{pid}/uid_map r,
|
||||||
@{PROC}/@{pids}/fd/ r,
|
@{PROC}/@{pids}/fd/ r,
|
||||||
|
|
|
||||||
|
|
@ -18,9 +18,11 @@ profile cockpit-ws @{exec_path} flags=(attach_disconnected) {
|
||||||
@{lib}/cockpit/cockpit-session rPx,
|
@{lib}/cockpit/cockpit-session rPx,
|
||||||
|
|
||||||
/usr/share/cockpit/{,**} r,
|
/usr/share/cockpit/{,**} r,
|
||||||
|
/etc/cockpit/ws-certs.d/{,**} r,
|
||||||
/usr/share/pixmaps/{,**} r,
|
/usr/share/pixmaps/{,**} r,
|
||||||
/etc/cockpit/ws-certs.d/ r,
|
/usr/share/plymouth/{,**} r,
|
||||||
|
|
||||||
|
@{run}/cockpit/session rw,
|
||||||
@{run}/cockpit/wsinstance/https@@{hex64}.sock r,
|
@{run}/cockpit/wsinstance/https@@{hex64}.sock r,
|
||||||
|
|
||||||
owner @{PROC}/@{pid}/cgroup r,
|
owner @{PROC}/@{pid}/cgroup r,
|
||||||
|
|
|
||||||
|
|
@ -69,6 +69,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
|
||||||
@{bin}/docker-init rCx -> init,
|
@{bin}/docker-init rCx -> init,
|
||||||
@{lib}/docker/docker-init rCx -> init,
|
@{lib}/docker/docker-init rCx -> init,
|
||||||
@{bin}/docker-proxy rPx,
|
@{bin}/docker-proxy rPx,
|
||||||
|
@{bin}/tini-static rCx -> tini,
|
||||||
@{bin}/git rCx -> git,
|
@{bin}/git rCx -> git,
|
||||||
@{bin}/kmod rCx -> kmod,
|
@{bin}/kmod rCx -> kmod,
|
||||||
@{bin}/ps rPx,
|
@{bin}/ps rPx,
|
||||||
|
|
@ -172,6 +173,14 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
|
||||||
include if exists <local/dockerd_kmod>
|
include if exists <local/dockerd_kmod>
|
||||||
}
|
}
|
||||||
|
|
||||||
|
profile tini {
|
||||||
|
include <abstractions/base>
|
||||||
|
|
||||||
|
@{bin}/tini-static mr,
|
||||||
|
|
||||||
|
include if exists <local/dockerd_tini>
|
||||||
|
}
|
||||||
|
|
||||||
profile init flags=(attach_disconnected) {
|
profile init flags=(attach_disconnected) {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -25,9 +25,12 @@ profile libvirt-dbus @{exec_path} {
|
||||||
|
|
||||||
owner @{user_cache_dirs}/libvirt/libvirtd.lock rwk,
|
owner @{user_cache_dirs}/libvirt/libvirtd.lock rwk,
|
||||||
|
|
||||||
|
@{run}/libvirt/libvirt-sock rw,
|
||||||
|
|
||||||
@{run}/user/@{uid}/libvirt/ rw,
|
@{run}/user/@{uid}/libvirt/ rw,
|
||||||
@{run}/user/@{uid}/libvirt/libvirtd.lock rwk,
|
@{run}/user/@{uid}/libvirt/libvirtd.lock rwk,
|
||||||
@{run}/user/@{uid}/libvirt/virtqemud.lock rwk,
|
@{run}/user/@{uid}/libvirt/virtqemud.lock rwk,
|
||||||
|
owner @{run}/user/@{uid}/libvirt/libvirt-sock rw,
|
||||||
|
|
||||||
@{sys}/devices/system/node/ r,
|
@{sys}/devices/system/node/ r,
|
||||||
@{sys}/devices/system/node/node*/meminfo r,
|
@{sys}/devices/system/node/node*/meminfo r,
|
||||||
|
|
|
||||||
|
|
@ -19,6 +19,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/bus-session>
|
include <abstractions/bus-session>
|
||||||
include <abstractions/bus-system>
|
include <abstractions/bus-system>
|
||||||
|
include <abstractions/bus/org.gtk.vfs.MountTracker>
|
||||||
include <abstractions/consoles>
|
include <abstractions/consoles>
|
||||||
include <abstractions/devices-usb>
|
include <abstractions/devices-usb>
|
||||||
include <abstractions/disks-write>
|
include <abstractions/disks-write>
|
||||||
|
|
@ -47,12 +48,12 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
|
||||||
capability sys_pacct,
|
capability sys_pacct,
|
||||||
capability sys_ptrace,
|
capability sys_ptrace,
|
||||||
capability sys_rawio,
|
capability sys_rawio,
|
||||||
capability sys_resource,
|
capability sys_resource, # Needed for vfio
|
||||||
|
|
||||||
network inet stream,
|
|
||||||
network inet dgram,
|
network inet dgram,
|
||||||
network inet6 stream,
|
network inet stream,
|
||||||
network inet6 dgram,
|
network inet6 dgram,
|
||||||
|
network inet6 stream,
|
||||||
network netlink raw,
|
network netlink raw,
|
||||||
network packet dgram,
|
network packet dgram,
|
||||||
network packet raw,
|
network packet raw,
|
||||||
|
|
@ -146,7 +147,8 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
|
||||||
/etc/xml/catalog r,
|
/etc/xml/catalog r,
|
||||||
|
|
||||||
/var/cache/libvirt/{,**} rw,
|
/var/cache/libvirt/{,**} rw,
|
||||||
/var/lib/libvirt/{,**} rwk,
|
/var/lib/libvirt/ rw,
|
||||||
|
/var/lib/libvirt/** rwk,
|
||||||
/var/log/swtpm/libvirt/{,**} rw,
|
/var/log/swtpm/libvirt/{,**} rw,
|
||||||
|
|
||||||
# User VM images and share
|
# User VM images and share
|
||||||
|
|
@ -155,6 +157,9 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
|
||||||
@{user_vm_dirs}/{,**} rwk,
|
@{user_vm_dirs}/{,**} rwk,
|
||||||
@{user_publicshare_dirs}/{,**} rwk,
|
@{user_publicshare_dirs}/{,**} rwk,
|
||||||
|
|
||||||
|
owner @{run}/user/@{uid}/libvirt/ rw,
|
||||||
|
owner @{run}/user/@{uid}/libvirt/** rwk,
|
||||||
|
|
||||||
@{att}/@{run}/systemd/inhibit/@{int}.ref rw,
|
@{att}/@{run}/systemd/inhibit/@{int}.ref rw,
|
||||||
|
|
||||||
@{run}/libvirt/ rw,
|
@{run}/libvirt/ rw,
|
||||||
|
|
@ -223,6 +228,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
|
||||||
@{PROC}/devices r,
|
@{PROC}/devices r,
|
||||||
@{PROC}/mtrr w,
|
@{PROC}/mtrr w,
|
||||||
@{PROC}/sys/net/ipv{4,6}/** rw,
|
@{PROC}/sys/net/ipv{4,6}/** rw,
|
||||||
|
@{PROC}/uptime r,
|
||||||
owner @{PROC}/@{pid}/fd/ r,
|
owner @{PROC}/@{pid}/fd/ r,
|
||||||
owner @{PROC}/@{pid}/mounts r,
|
owner @{PROC}/@{pid}/mounts r,
|
||||||
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
||||||
|
|
|
||||||
|
|
@ -21,14 +21,34 @@ profile virt-aa-helper @{exec_path} {
|
||||||
|
|
||||||
@{sbin}/apparmor_parser rPx,
|
@{sbin}/apparmor_parser rPx,
|
||||||
|
|
||||||
/etc/apparmor.d/libvirt/* r,
|
@{etc_rw}/apparmor.d/libvirt/* r,
|
||||||
@{etc_rw}/apparmor.d/libvirt/libvirt-@{uuid} rw,
|
@{etc_rw}/apparmor.d/libvirt/libvirt-@{uuid} rw,
|
||||||
|
@{etc_rw}/apparmor.d/libvirt/libvirt-@{uuid}.files rw,
|
||||||
|
|
||||||
/etc/libnl{,-3}/classid r, # Allow reading libnl's classid file
|
/etc/libnl{,-3}/classid r, # Allow reading libnl's classid file
|
||||||
|
|
||||||
# System VM images
|
# System VM images
|
||||||
/var/lib/libvirt/images/{,**} r,
|
/var/lib/libvirt/images/{,**} r,
|
||||||
/var/lib/nova/instances/_base/* r,
|
|
||||||
|
# Openstack Nova base images & snapshots (LP: #907269 #1244694 #1644507)
|
||||||
|
/var/lib/nova/images/{,**} r,
|
||||||
|
/var/lib/nova/instances/_base/{,**} r,
|
||||||
|
/var/lib/nova/instances/snapshots/{,**} r,
|
||||||
|
/var/snap/nova-hypervisor/common/instances/_base/{,**} r,
|
||||||
|
/var/snap/nova-hypervisor/common/instances/snapshots/{,**} r,
|
||||||
|
|
||||||
|
# Eucalyptus disks & loader (LP: #564914 #637544)
|
||||||
|
/var/lib/eucalyptus/instances/**/disk* r,
|
||||||
|
/var/lib/eucalyptus/instances/**/loader* r,
|
||||||
|
|
||||||
|
# For uvtool
|
||||||
|
/var/lib/uvtool/libvirt/images/{,**} r,
|
||||||
|
|
||||||
|
# For multipass
|
||||||
|
/var/snap/multipass/common/data/multipassd/vault/instances/{,**} r,
|
||||||
|
|
||||||
|
# Common mount directories
|
||||||
|
@{MOUNTDIRS}/{,**} r,
|
||||||
|
|
||||||
# User VM images
|
# User VM images
|
||||||
@{user_share_dirs}/ r,
|
@{user_share_dirs}/ r,
|
||||||
|
|
|
||||||
|
|
@ -6,8 +6,8 @@ abi <abi/4.0>,
|
||||||
|
|
||||||
include <tunables/global>
|
include <tunables/global>
|
||||||
|
|
||||||
@{exec_path} = @{lib}/{,qemu/}virtiofsd @{bin}/virtiofsd
|
@{exec_path} = @{lib}/virtiofsd @{lib}/qemu/virtiofsd @{bin}/virtiofsd
|
||||||
profile virtiofsd @{exec_path} {
|
profile virtiofsd @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
|
|
||||||
userns,
|
userns,
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue