From d49e93523fca55b4fa359e0195c93bb0deeada34 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 4 Mar 2025 22:26:07 +0100
Subject: [PATCH] feat(profile): restrict the qemu-ga profile.

---
 apparmor.d/profiles-m-r/qemu-ga | 36 ++++++++++++++-------------------
 1 file changed, 15 insertions(+), 21 deletions(-)

diff --git a/apparmor.d/profiles-m-r/qemu-ga b/apparmor.d/profiles-m-r/qemu-ga
index 7e63560ec..b100e4e15 100644
--- a/apparmor.d/profiles-m-r/qemu-ga
+++ b/apparmor.d/profiles-m-r/qemu-ga
@@ -7,40 +7,34 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/qemu-ga
-profile qemu-ga @{exec_path} {
+profile qemu-ga @{exec_path} flags=(complain) {
   include <abstractions/base>
-  include <abstractions/bus-system>
-
-  capability mknod,
-  capability net_admin,
-  capability sys_ptrace,
-
-  network inet stream,
-  network inet6 stream,
-  network netlink raw,
-
-  ptrace (read) peer=@{p_systemd},
-
-  unix type=stream addr=@@{udbus}/bus/shutdown/system,
-
-  #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind
 
   @{exec_path} mr,
 
-  @{bin}/systemctl rix,
+  audit @{bin}/systemctl Cx -> systemctl,
 
   /etc/qemu/qemu-ga.conf r,
 
-  owner @{run}/qga.state* rw,
+  owner @{run}/qga.state rw,
+  owner @{run}/qga.state.@{rand6} rw,
 
   @{sys}/devices/system/node/ r,
   @{sys}/devices/system/node/node@{int}/meminfo r,
 
-        @{PROC}/sys/vm/max_map_count r,
-  owner @{PROC}/@{pid}/net/dev r,
-
   /dev/vport@{int}p@{int} rw,
 
+  profile systemctl flags=(complain) {
+    include <abstractions/base>
+    include <abstractions/app/systemctl>
+
+    unix type=stream addr=@@{udbus}/bus/shutdown/system,
+
+    #aa-dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind
+
+    include if exists <local/qemu-ga_systemctl>
+  }
+
   include if exists <local/qemu-ga>
 }