# Last Modified: Mon Apr  5 15:10:27 2010
#include <tunables/global>

/usr/lib/libvirt/virt-aa-helper {
  #include <abstractions/base>

  # needed for searching directories
  capability dac_override,
  capability dac_read_search,

  # needed for when disk is on a network filesystem
  network inet,

  deny @{PROC}/[0-9]*/mounts r,
  @{PROC}/[0-9]*/net/psched r,
  owner @{PROC}/[0-9]*/status r,
  @{PROC}/filesystems r,

  # for hostdev
  /sys/devices/ r,
  /sys/devices/** r,

  /usr/lib/libvirt/virt-aa-helper mr,
  /sbin/apparmor_parser Ux,

  /etc/apparmor.d/libvirt/* r,
  /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,

  # for backingstore -- allow access to non-hidden files in @{HOME} as well
  # as storage pools
  audit deny @{HOME}/.* mrwkl,
  audit deny @{HOME}/.*/ rw,
  audit deny @{HOME}/.*/** mrwkl,
  audit deny @{HOME}/bin/ rw,
  audit deny @{HOME}/bin/** mrwkl,
  @{HOME}/ r,
  @{HOME}/** r,
  /var/lib/libvirt/images/ r,
  /var/lib/libvirt/images/** r,
  /{media,mnt,opt,srv}/** r,

  /**.img r,
  /**.qcow{,2} r,
  /**.qed r,
  /**.vmdk r,
  /**.[iI][sS][oO] r,
  /**/disk{,.*} r,
}