feat(profile): update virt profiles.

2025-08-19 22:56:07 +02:00 · 2025-08-19 22:56:07 +02:00 · c806ec44eb
commit c806ec44eb
parent 5e5fde7741
8 changed files with 66 additions and 12 deletions
--- a/apparmor.d/groups/virt/cockpit-bridge
+++ b/apparmor.d/groups/virt/cockpit-bridge
@ -9,6 +9,8 @@ include <tunables/global>
@{exec_path} = @{bin}/cockpit-bridge
 profile cockpit-bridge @{exec_path} {
  include <abstractions/base>
+  include <abstractions/bus-session>
+  include <abstractions/bus-system>
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>
  include <abstractions/python>
@ -33,6 +35,9 @@ profile cockpit-bridge @{exec_path} {
  signal send set=term peer=unconfined,
  signal (send receive) set=term peer=cockpit-bridge//sudo,

+  #aa:dbus talk bus=session name=org.libvirt label=libvirt-dbus
+  #aa:dbus talk bus=system name=org.freedesktop.PackageKit path=/**  label=packagekitd
+
  @{exec_path} mr,

  @{bin}/cat                  ix,
@ -126,6 +131,8 @@ profile cockpit-bridge @{exec_path} {
    include <abstractions/base>
    include <abstractions/app/udevadm>

+    @{run}/udev/data/n@{int} r,             # For network interfaces
+
    include if exists <local/cockpit-bridge_udevadm>
  }

--- a/apparmor.d/groups/virt/cockpit-session
+++ b/apparmor.d/groups/virt/cockpit-session
@ -14,10 +14,12 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) {
  include <abstractions/shells>

  capability audit_write,
+  capability chown,
  capability dac_read_search,
  capability net_admin,
  capability setgid,
  capability setuid,
+  capability sys_resource,

  network netlink raw,

@ -26,6 +28,7 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) {
  @{shells_path}         rix,
  @{bin}/cockpit-bridge  rPx,
  @{lib}/cockpit/cockpit-pcp  rPx,
+  @{bin}/ssh-agent rPx,

  @{etc_ro}/environment r,
  @{etc_ro}/security/limits.d/{,*.conf} r,
@ -47,6 +50,10 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) {
  /var/log/lastlog rw,
  /var/log/wtmp rwk,

+  /var/lib/lastlog/ r,
+  /var/lib/lastlog/lastlog2.db rwk,
+  /var/lib/lastlog/lastlog2.db-journal rw,
+
  owner @{PROC}/@{pid}/loginuid rw,
  owner @{PROC}/@{pid}/uid_map r,
        @{PROC}/@{pids}/fd/ r,
--- a/apparmor.d/groups/virt/cockpit-ws
+++ b/apparmor.d/groups/virt/cockpit-ws
@ -18,9 +18,11 @@ profile cockpit-ws @{exec_path} flags=(attach_disconnected) {
  @{lib}/cockpit/cockpit-session  rPx,

  /usr/share/cockpit/{,**} r,
+  /etc/cockpit/ws-certs.d/{,**} r,
  /usr/share/pixmaps/{,**} r,
-  /etc/cockpit/ws-certs.d/ r,
+  /usr/share/plymouth/{,**} r,

+  @{run}/cockpit/session rw,
  @{run}/cockpit/wsinstance/https@@{hex64}.sock r,

  owner @{PROC}/@{pid}/cgroup r,
--- a/apparmor.d/groups/virt/dockerd
+++ b/apparmor.d/groups/virt/dockerd
@ -69,6 +69,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
  @{bin}/docker-init             rCx -> init,
  @{lib}/docker/docker-init      rCx -> init,
  @{bin}/docker-proxy            rPx,
+  @{bin}/tini-static             rCx -> tini,
  @{bin}/git                     rCx -> git,
  @{bin}/kmod                    rCx -> kmod,
  @{bin}/ps                      rPx,
@ -172,6 +173,14 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
    include if exists <local/dockerd_kmod>
  }

+  profile tini {
+    include <abstractions/base>
+
+    @{bin}/tini-static mr,
+
+    include if exists <local/dockerd_tini>
+  }
+
  profile init flags=(attach_disconnected) {
    include <abstractions/base>

--- a/apparmor.d/groups/virt/libvirt-dbus
+++ b/apparmor.d/groups/virt/libvirt-dbus
@ -25,9 +25,12 @@ profile libvirt-dbus @{exec_path} {

  owner @{user_cache_dirs}/libvirt/libvirtd.lock rwk,

+  @{run}/libvirt/libvirt-sock rw,
+
        @{run}/user/@{uid}/libvirt/ rw,
        @{run}/user/@{uid}/libvirt/libvirtd.lock rwk,
        @{run}/user/@{uid}/libvirt/virtqemud.lock rwk,
+  owner @{run}/user/@{uid}/libvirt/libvirt-sock rw,

  @{sys}/devices/system/node/ r,
  @{sys}/devices/system/node/node*/meminfo r,
--- a/apparmor.d/groups/virt/libvirtd
+++ b/apparmor.d/groups/virt/libvirtd
@ -19,6 +19,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
+  include <abstractions/bus/org.gtk.vfs.MountTracker>
  include <abstractions/consoles>
  include <abstractions/devices-usb>
  include <abstractions/disks-write>
@ -47,12 +48,12 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
  capability sys_pacct,
  capability sys_ptrace,
  capability sys_rawio,
-  capability sys_resource,
+  capability sys_resource,  # Needed for vfio

-  network inet stream,
  network inet dgram,
-  network inet6 stream,
+  network inet stream,
  network inet6 dgram,
+  network inet6 stream,
  network netlink raw,
  network packet dgram,
  network packet raw,
@ -146,7 +147,8 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
  /etc/xml/catalog r,

  /var/cache/libvirt/{,**} rw,
-  /var/lib/libvirt/{,**} rwk,
+  /var/lib/libvirt/ rw,
+  /var/lib/libvirt/** rwk,
  /var/log/swtpm/libvirt/{,**} rw,

  # User VM images and share
@ -155,6 +157,9 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
  @{user_vm_dirs}/{,**} rwk,
  @{user_publicshare_dirs}/{,**} rwk,

+  owner @{run}/user/@{uid}/libvirt/ rw,
+  owner @{run}/user/@{uid}/libvirt/** rwk,
+
  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,

  @{run}/libvirt/ rw,
@ -223,6 +228,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
        @{PROC}/devices r,
        @{PROC}/mtrr w,
        @{PROC}/sys/net/ipv{4,6}/** rw,
+        @{PROC}/uptime r,
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/mounts r,
  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
--- a/apparmor.d/groups/virt/virt-aa-helper
+++ b/apparmor.d/groups/virt/virt-aa-helper
@ -21,14 +21,34 @@ profile virt-aa-helper @{exec_path} {

  @{sbin}/apparmor_parser rPx,

-  /etc/apparmor.d/libvirt/* r,
+  @{etc_rw}/apparmor.d/libvirt/* r,
  @{etc_rw}/apparmor.d/libvirt/libvirt-@{uuid} rw,
+  @{etc_rw}/apparmor.d/libvirt/libvirt-@{uuid}.files rw,

  /etc/libnl{,-3}/classid r,   # Allow reading libnl's classid file

  # System VM images
  /var/lib/libvirt/images/{,**} r,
-  /var/lib/nova/instances/_base/* r,
+
+  # Openstack Nova base images & snapshots (LP: #907269 #1244694 #1644507)
+  /var/lib/nova/images/{,**} r,
+  /var/lib/nova/instances/_base/{,**} r,
+  /var/lib/nova/instances/snapshots/{,**} r,
+  /var/snap/nova-hypervisor/common/instances/_base/{,**} r,
+  /var/snap/nova-hypervisor/common/instances/snapshots/{,**} r,
+
+  # Eucalyptus disks & loader (LP: #564914 #637544)
+  /var/lib/eucalyptus/instances/**/disk* r,
+  /var/lib/eucalyptus/instances/**/loader* r,
+
+  # For uvtool
+  /var/lib/uvtool/libvirt/images/{,**} r,
+
+  # For multipass
+  /var/snap/multipass/common/data/multipassd/vault/instances/{,**} r,
+
+  # Common mount directories
+  @{MOUNTDIRS}/{,**} r,

  # User VM images
  @{user_share_dirs}/ r,
--- a/apparmor.d/groups/virt/virtiofsd
+++ b/apparmor.d/groups/virt/virtiofsd
@ -6,8 +6,8 @@ abi <abi/4.0>,

 include <tunables/global>

-@{exec_path} = @{lib}/{,qemu/}virtiofsd @{bin}/virtiofsd
-profile virtiofsd @{exec_path} {
+@{exec_path} = @{lib}/virtiofsd @{lib}/qemu/virtiofsd @{bin}/virtiofsd
+profile virtiofsd @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>

  userns,