libvirt/examples/apparmor/libvirt-qemu

110 lines
3.3 KiB
Plaintext
Raw Normal View History

# Last Modified: Fri Nov 6 16:41:59 2009
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/nameservice>
# required for reading disk images
capability dac_override,
capability dac_read_search,
capability chown,
network inet stream,
network inet6 stream,
/dev/net/tun rw,
/dev/kvm rw,
/dev/ptmx rw,
/dev/kqemu rw,
# WARNING: uncommenting these gives the guest direct access to host hardware.
# This is required for USB pass through but is a security risk. You have been
# warned.
#/sys/bus/usb/devices/ r,
#/sys/devices/*/*/usb[0-9]*/** r,
#/dev/bus/usb/*/[0-9]* rw,
# WARNING: this gives the guest direct access to host hardware and specific
# portions of shared memory. This is required for sound using ALSA with kvm,
# but may constitute a security risk. If your environment does not require
# the use of sound in your VMs, feel free to comment out or prepend 'deny' to
# the rules for files in /dev.
/dev/shm/ r,
/dev/shm/pulse-shm* r,
/dev/shm/pulse-shm* rwk,
/dev/snd/* rw,
capability ipc_lock,
# 'kill' is not required for sound and is a security risk. Do not enable
# unless you absolutely need it.
deny capability kill,
/etc/pulse/client.conf r,
@{HOME}/.pulse-cookie rwk,
owner /root/.pulse-cookie rwk,
owner /root/.pulse/ rw,
owner /root/.pulse/* rw,
/usr/share/alsa/** r,
owner /tmp/pulse-*/ rw,
owner /tmp/pulse-*/* rw,
/var/lib/dbus/machine-id r,
# access to firmware's etc
/usr/share/kvm/** r,
/usr/share/qemu/** r,
/usr/share/bochs/** r,
/usr/share/openbios/** r,
/usr/share/openhackware/** r,
/usr/share/proll/** r,
/usr/share/vgabios/** r,
# the various binaries
/usr/bin/kvm rmix,
/usr/bin/qemu rmix,
/usr/bin/qemu-system-arm rmix,
/usr/bin/qemu-system-cris rmix,
/usr/bin/qemu-system-i386 rmix,
/usr/bin/qemu-system-m68k rmix,
/usr/bin/qemu-system-mips rmix,
/usr/bin/qemu-system-mips64 rmix,
/usr/bin/qemu-system-mips64el rmix,
/usr/bin/qemu-system-mipsel rmix,
/usr/bin/qemu-system-ppc rmix,
/usr/bin/qemu-system-ppc64 rmix,
/usr/bin/qemu-system-ppcemb rmix,
/usr/bin/qemu-system-sh4 rmix,
/usr/bin/qemu-system-sh4eb rmix,
/usr/bin/qemu-system-sparc rmix,
/usr/bin/qemu-system-sparc64 rmix,
/usr/bin/qemu-system-x86_64 rmix,
/usr/bin/qemu-alpha rmix,
/usr/bin/qemu-arm rmix,
/usr/bin/qemu-armeb rmix,
/usr/bin/qemu-cris rmix,
/usr/bin/qemu-i386 rmix,
/usr/bin/qemu-m68k rmix,
/usr/bin/qemu-mips rmix,
/usr/bin/qemu-mipsel rmix,
/usr/bin/qemu-ppc rmix,
/usr/bin/qemu-ppc64 rmix,
/usr/bin/qemu-ppc64abi32 rmix,
/usr/bin/qemu-sh4 rmix,
/usr/bin/qemu-sh4eb rmix,
/usr/bin/qemu-sparc rmix,
/usr/bin/qemu-sparc64 rmix,
/usr/bin/qemu-sparc32plus rmix,
/usr/bin/qemu-sparc64 rmix,
/usr/bin/qemu-x86_64 rmix,
# for save and resume
/bin/dash rmix,
/bin/dd rmix,
/bin/cat rmix,
# The svirt driver does not relabel the state file
# (https://bugzilla.redhat.com/show_bug.cgi?id=529363) resulting in denied
# messages. Uncommenting these lines can work around this somewhat by
# allowing users to save state files in the specified directory. We use
# 'owner' to make sure we don't overwrite the user's files.
#owner @{HOME}/libvirt-state-files/ r,
#owner @{HOME}/libvirt-state-files/** rw,