# apparmor.d - Full set of apparmor profiles
# Copyright (C) Libvirt Team
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{lib}/libvirt/virt-aa-helper
@{att} = ""
profile virt-aa-helper /{,usr/}lib{,exec,32,64}/libvirt/virt-aa-helper flags=(complain) {
  include <abstractions/base-strict>

  capability dac_override,
  capability dac_read_search,

  network inet,
  network inet6,

  @{exec_path} mr,

  @{sbin}/apparmor_parser rpx,

  @{etc_rw}/apparmor.d/libvirt/* r,
  @{etc_rw}/apparmor.d/libvirt/libvirt-@{uuid} rw,
  @{etc_rw}/apparmor.d/libvirt/libvirt-@{uuid}.files rw,

  /etc/libnl{,-3}/classid r,   # Allow reading libnl's classid file

  # System VM images
  /var/lib/libvirt/images/{,**} r,

  # Openstack Nova base images & snapshots (LP: #907269 #1244694 #1644507)
  /var/lib/nova/images/{,**} r,
  /var/lib/nova/instances/_base/{,**} r,
  /var/lib/nova/instances/snapshots/{,**} r,
  /var/snap/nova-hypervisor/common/instances/_base/{,**} r,
  /var/snap/nova-hypervisor/common/instances/snapshots/{,**} r,

  # Eucalyptus disks & loader (LP: #564914 #637544)
  /var/lib/eucalyptus/instances/**/disk* r,
  /var/lib/eucalyptus/instances/**/loader* r,

  # For uvtool
  /var/lib/uvtool/libvirt/images/{,**} r,

  # For multipass
  /var/snap/multipass/common/data/multipassd/vault/instances/{,**} r,

  # Common mount directories
  @{MOUNTDIRS}/{,**} r,

  # User VM images
  @{user_share_dirs}/ r,
  @{user_share_dirs}/libvirt/{,**} r,
  @{user_vm_dirs}/{,**} r,

  # For virt-sandbox
  @{run}/libvirt/**/[sv]d[a-z] r,

  @{sys}/bus/usb/devices/ r,
  @{sys}/devices/ r,
  @{sys}/devices/** r,

        @{PROC}/@{pid}/fd/ r,
        @{PROC}/@{pid}/net/psched r,
  deny  @{PROC}/@{pid}/mounts r,

  # For gl enabled graphics
  /dev/dri/{,*} r,

  # For hostdev
  deny /dev/dasd* r,
  deny /dev/dm-* r,
  deny /dev/drbd[0-9]* r,
  deny /dev/mapper/ r,
  deny /dev/mapper/* r,
  deny /dev/nvme* r,
  deny /dev/sd* r,
  deny /dev/vd* r,
  deny /dev/zd[0-9]* r,

  include if exists <usr/virt-aa-helper.d>
  include if exists <local/virt-aa-helper>
}

# vim:syntax=apparmor
