fixes

2023-02-20 21:01:05 +00:00 · 2023-02-20 21:01:05 +00:00 · d18e012f9e
commit d18e012f9e
parent a873af1f26
5 changed files with 5 additions and 4 deletions
--- a/apparmor.d/groups/virt/virtiofsd
+++ b/apparmor.d/groups/virt/virtiofsd
@ -0,0 +1,47 @@
+# apparmor.d - Full set of apparmor profiles
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{LOCAL_SHARED_DIRS} = /var/lib/libvirt/shared
+include if exists <local/tunables/virtiofsd>
+
+@{exec_path} = /{,usr/}lib/qemu/virtiofsd
+profile virtiofsd @{exec_path} flags=(attach_disconnected) {
+  include <abstractions/base>
+
+  capability setgid,
+  capability setuid,
+  capability fowner,
+  capability fsetid,
+  capability sys_resource,
+  capability sys_admin,
+  capability setpcap,
+  capability dac_read_search,
+  capability dac_override,
+  capability chown,
+
+  unix (send, receive) type=stream peer=(addr=none, label=libvirt-@{uuid}),
+
+  mount options=(rw, rslave) -> /,
+  umount /,
+  mount options=(rw, nosuid, nodev, noexec, relatime) -> @{PROC},
+  mount options=(rw, bind) @{PROC}/1/fd/ -> @{PROC},
+
+  @{exec_path} r,
+
+  @{PROC}/sys/fs/file-max r,
+
+  owner @{run}/libvirt/qemu/*.pid rw,
+
+  /var/lib/libvirt/qemu/*/fs[0-9]*-fs.sock rw,
+
+  # shared folders
+  mount options=(rw, rbind) -> @{LOCAL_SHARED_DIRS}/,
+  pivot_root @{LOCAL_SHARED_DIRS}/,
+  @{LOCAL_SHARED_DIRS}/ r,
+
+  include if exists <local/virtiofsd>
+}