# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/3.0>,

include <tunables/global>

@{exec_path} = @{lib}/{,qemu/}virtiofsd @{bin}/virtiofsd
profile virtiofsd @{exec_path} {
  include <abstractions/base>

  # userns,

  capability chown,
  capability dac_override,
  capability dac_read_search,
  capability fowner,
  capability fsetid,
  capability mknod,
  capability setfcap,
  capability setgid,
  capability setpcap,
  capability setuid,
  capability sys_admin,
  capability sys_resource,

  mount options=(rw, bind) @{PROC}/1/fd/ -> @{PROC},
  mount options=(rw, nosuid, nodev, noexec, relatime) -> @{PROC},
  mount options=(rw, rslave) -> /,

  mount options=(rw, rbind) -> @{user_publicshare_dirs}/,
  mount options=(rw, rbind) -> @{user_vm_dirs}/,
  mount options=(rw, rbind) -> @{user_vm_shares}/,

  umount /,

  pivot_root @{user_publicshare_dirs}/, # TODO: -> pivoted,
  pivot_root @{user_vm_dirs}/,
  pivot_root @{user_vm_shares}/,

  signal (receive) set=term peer=libvirtd,

  unix (send, receive) type=stream peer=(addr=none, label=libvirt-@{uuid}),

  @{exec_path} mr,

  / r,
  /var/lib/libvirt/qemu/*/fs@{int}-fs.sock rw,

  @{user_publicshare_dirs}/{,**} r,
  @{user_vm_dirs}/{,**} r,
  @{user_vm_shares}/{,**} r,

  owner @{run}/libvirt/qemu/*.pid rw,

  @{PROC}/ r,
  @{PROC}/sys/fs/file-max r,

  # profile pivoted {
  #   /{,**} rwl,
  # }

  include if exists <local/virtiofsd>
}