# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{bin}/virtinterfaced
profile virtinterfaced @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/nameservice-strict>

  network netlink raw,

  ptrace (read) peer=virtqemud,

  @{exec_path} mr,

  @{lib}/gconv/gconv-modules rm,
  @{lib}/gconv/gconv-modules.d/{,*} r,

        @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
  owner @{run}/user/@{uid}/libvirt/common/system.token rwk,
  owner @{run}/user/@{uid}/libvirt/interface/ rw,
  owner @{run}/user/@{uid}/libvirt/interface/run/{,*} rwk,
  owner @{run}/user/@{uid}/libvirt/secrets/run/driver.pid rw,
  owner @{run}/user/@{uid}/libvirt/virtinterfaced* rwk,

  @{run}/utmp rk,

  @{sys}/bus/ r,
  @{sys}/class/ r,
  @{sys}/class/net/ r,
  @{sys}/devices/@{pci}/net/{,**} r,
  @{sys}/devices/system/node/ r,
  @{sys}/devices/system/node/node@{int}/meminfo r,
  @{sys}/devices/virtual/net/{,**} r,

  owner @{PROC}/@{pids}/stat r,

  include if exists <local/virtinterfaced>
}

# vim:syntax=apparmor