deploy/apparmor/libvirtd
# Profile is based on the upstream libvirt profile
#include <tunables/global>
profile libvirtd flags=(attach_disconnected) {
#include <abstractions/base>
#include <abstractions/dbus>
capability kill,
capability net_admin,
capability net_raw,
capability setgid,
capability sys_admin,
capability sys_module,
capability sys_ptrace,
capability sys_nice,
capability sys_chroot,
capability setuid,
capability dac_override,
capability dac_read_search,
capability fowner,
capability chown,
capability setpcap,
capability mknod,
capability fsetid,
capability ipc_lock,
capability audit_write,
# Needed for vfio
capability sys_resource,
network inet stream,
network inet dgram,
network inet6 stream,
network inet6 dgram,
network packet dgram,
network netlink,
dbus bus=system,
signal,
ptrace,
unix,
allow mount,
allow umount,
# for now, use a very lenient profile since we want to first focus on
# confining the guests
/ r,
/** rwmkl,
/bin/* PUx,
/sbin/* PUx,
/usr/bin/* PUx,
/usr/sbin/* PUx,
/lib/udev/scsi_id PUx,
/usr/lib/xen-common/bin/xen-toolstack PUx,
/usr/lib/xen-*/bin/pygrub PUx,
/usr/lib/xen-*/bin/libxl-save-helper PUx,
# Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to
# write and run an ebtables script.
/var/lib/libvirt/virtd* ixr,
/etc/libvirt/hooks/** rmix,
/etc/xen/scripts/** rmix,
/usr/lib/libvirt/* PUxr,
/usr/sbin/libvirtd rix,
/sys/kernel/security/apparmor/profiles r,
/vmwrapper rix,
}