felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): restrict the qemu-ga profile.

Browse source
This commit is contained in:
Alexandre Pujol 2025-03-04 22:26:07 +01:00
parent 3f9fe25fd4
commit d49e93523f
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
1 changed files with 15 additions and 21 deletions
Download patch file Download diff file Expand all files Collapse all files

36
apparmor.d/profiles-m-r/qemu-ga
View file

@ -7,40 +7,34 @@ abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{bin}/qemu-ga @{exec_path} = @{bin}/qemu-ga
profile qemu-ga @{exec_path} { profile qemu-ga @{exec_path} flags=(complain) {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus-system>
capability mknod,
capability net_admin,
capability sys_ptrace,
network inet stream,
network inet6 stream,
network netlink raw,
ptrace (read) peer=@{p_systemd},
unix type=stream addr=@@{udbus}/bus/shutdown/system,
#aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind
@{exec_path} mr, @{exec_path} mr,
@{bin}/systemctl rix, audit @{bin}/systemctl Cx -> systemctl,
/etc/qemu/qemu-ga.conf r, /etc/qemu/qemu-ga.conf r,
owner @{run}/qga.state* rw, owner @{run}/qga.state rw,
owner @{run}/qga.state.@{rand6} rw,
@{sys}/devices/system/node/ r, @{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node@{int}/meminfo r, @{sys}/devices/system/node/node@{int}/meminfo r,
@{PROC}/sys/vm/max_map_count r,
owner @{PROC}/@{pid}/net/dev r,
/dev/vport@{int}p@{int} rw, /dev/vport@{int}p@{int} rw,
profile systemctl flags=(complain) {
include <abstractions/base>
include <abstractions/app/systemctl>
unix type=stream addr=@@{udbus}/bus/shutdown/system,
#aa-dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind
include if exists <local/qemu-ga_systemctl>
}
include if exists <local/qemu-ga> include if exists <local/qemu-ga>
} }