diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu index d33348aa05..2291829270 100644 --- a/src/security/apparmor/libvirt-qemu +++ b/src/security/apparmor/libvirt-qemu @@ -22,8 +22,8 @@ signal (receive) peer=libvirtd, signal (receive) peer=/usr/sbin/libvirtd, - /dev/net/tun rw, /dev/kvm rw, + /dev/net/tun rw, /dev/ptmx rw, @{PROC}/*/status r, # When qemu is signaled to terminate, it will read cmdline of signaling @@ -39,19 +39,19 @@ /sys/bus/usb/devices/ r, /sys/devices/**/usb[0-9]*/** r, # libusb needs udev data about usb devices (~equal to content of lsusb -v) + /run/udev/data/+usb* r, /run/udev/data/c16[6,7]* r, /run/udev/data/c18[0,8,9]* r, - /run/udev/data/+usb* r, # WARNING: this gives the guest direct access to host hardware and specific # portions of shared memory. This is required for sound using ALSA with kvm, # but may constitute a security risk. If your environment does not require # the use of sound in your VMs, feel free to comment out or prepend 'deny' to # the rules for files in /dev. + /dev/snd/* rw, /{dev,run}/shm r, /{dev,run}/shmpulse-shm* r, /{dev,run}/shmpulse-shm* rwk, - /dev/snd/* rw, capability ipc_lock, # spice owner /{dev,run}/shm/spice.* rw, @@ -73,21 +73,21 @@ /var/lib/dbus/machine-id r, # access to firmware's etc - /usr/share/kvm/** r, - /usr/share/qemu/** r, - /usr/share/qemu-kvm/** r, + /usr/share/AAVMF/** r, /usr/share/bochs/** r, + /usr/share/kvm/** r, + /usr/share/misc/sgabios.bin r, /usr/share/openbios/** r, /usr/share/openhackware/** r, - /usr/share/proll/** r, - /usr/share/vgabios/** r, - /usr/share/seabios/** r, - /usr/share/misc/sgabios.bin r, - /usr/share/ovmf/** r, /usr/share/OVMF/** r, - /usr/share/AAVMF/** r, + /usr/share/ovmf/** r, + /usr/share/proll/** r, /usr/share/qemu-efi/** r, + /usr/share/qemu-kvm/** r, + /usr/share/qemu/** r, + /usr/share/seabios/** r, /usr/share/slof/** r, + /usr/share/vgabios/** r, # pki for libvirt-vnc and libvirt-spice (LP: #901272, #1690140) /etc/pki/CA/ r, @@ -98,7 +98,33 @@ # the various binaries /usr/bin/kvm rmix, /usr/bin/qemu rmix, + /usr/bin/qemu-aarch64 rmix, + /usr/bin/qemu-alpha rmix, + /usr/bin/qemu-arm rmix, + /usr/bin/qemu-armeb rmix, + /usr/bin/qemu-cris rmix, + /usr/bin/qemu-i386 rmix, /usr/bin/qemu-kvm rmix, + /usr/bin/qemu-m68k rmix, + /usr/bin/qemu-microblaze rmix, + /usr/bin/qemu-microblazeel rmix, + /usr/bin/qemu-mips rmix, + /usr/bin/qemu-mips64 rmix, + /usr/bin/qemu-mips64el rmix, + /usr/bin/qemu-mipsel rmix, + /usr/bin/qemu-mipsn32 rmix, + /usr/bin/qemu-mipsn32el rmix, + /usr/bin/qemu-or32 rmix, + /usr/bin/qemu-ppc rmix, + /usr/bin/qemu-ppc64 rmix, + /usr/bin/qemu-ppc64abi32 rmix, + /usr/bin/qemu-ppc64le rmix, + /usr/bin/qemu-s390x rmix, + /usr/bin/qemu-sh4 rmix, + /usr/bin/qemu-sh4eb rmix, + /usr/bin/qemu-sparc rmix, + /usr/bin/qemu-sparc32plus rmix, + /usr/bin/qemu-sparc64 rmix, /usr/bin/qemu-system-aarch64 rmix, /usr/bin/qemu-system-alpha rmix, /usr/bin/qemu-system-arm rmix, @@ -132,32 +158,6 @@ /usr/bin/qemu-system-x86_64 rmix, /usr/bin/qemu-system-xtensa rmix, /usr/bin/qemu-system-xtensaeb rmix, - /usr/bin/qemu-aarch64 rmix, - /usr/bin/qemu-alpha rmix, - /usr/bin/qemu-arm rmix, - /usr/bin/qemu-armeb rmix, - /usr/bin/qemu-cris rmix, - /usr/bin/qemu-i386 rmix, - /usr/bin/qemu-m68k rmix, - /usr/bin/qemu-microblaze rmix, - /usr/bin/qemu-microblazeel rmix, - /usr/bin/qemu-mips rmix, - /usr/bin/qemu-mips64 rmix, - /usr/bin/qemu-mips64el rmix, - /usr/bin/qemu-mipsel rmix, - /usr/bin/qemu-mipsn32 rmix, - /usr/bin/qemu-mipsn32el rmix, - /usr/bin/qemu-or32 rmix, - /usr/bin/qemu-ppc rmix, - /usr/bin/qemu-ppc64 rmix, - /usr/bin/qemu-ppc64abi32 rmix, - /usr/bin/qemu-ppc64le rmix, - /usr/bin/qemu-s390x rmix, - /usr/bin/qemu-sh4 rmix, - /usr/bin/qemu-sh4eb rmix, - /usr/bin/qemu-sparc rmix, - /usr/bin/qemu-sparc32plus rmix, - /usr/bin/qemu-sparc64 rmix, /usr/bin/qemu-unicore32 rmix, /usr/bin/qemu-x86_64 rmix, # for Debian/Ubuntu qemu-block-extra / RPMs qemu-block-* (LP: #1554761)