External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2024-12-26 07:36:19 +00:00
Code Issues Packages Projects Releases Wiki Activity
9e2fe24518
libvirt/examples/apparmor/usr.sbin.libvirtd
Jamie Strandboge 624a7927f0 Documentation and examples for SVirt Apparmor driver 
* docs/drvqemu.html.in: include documentation for AppArmor sVirt
  confinement
* examples/apparmor/TEMPLATE examples/apparmor/libvirt-qemu
  examples/apparmor/usr.lib.libvirt.virt-aa-helper
  examples/apparmor/usr.sbin.libvirtd: example templates and
  configuration files for SVirt Apparmor when using KVM/QEmu
2009-10-08 16:42:05 +02:00

49 lines
1.2 KiB
Plaintext
Raw Blame History

# Last Modified: Wed Sep 23 23:23:58 2009
#include <tunables/global>
@{LIBVIRT}="libvirt"
/usr/sbin/libvirtd {
#include <abstractions/base>
capability kill,
capability net_admin,
capability net_raw,
capability setgid,
capability sys_admin,
capability sys_module,
capability sys_ptrace,
capability sys_nice,
capability sys_chroot,
capability setuid,
capability dac_override,
capability dac_read_search,
capability fowner,
capability chown,
capability setpcap,
capability mknod,
network inet stream,
# Very lenient profile for libvirtd since we want to first focus on confining
# the guests. Guests will have a very restricted profile.
/** rwmkl,
/bin/* Ux,
/sbin/* Ux,
/usr/bin/* Ux,
/usr/sbin/* Ux,
# force the use of virt-aa-helper
audit deny /sbin/apparmor_parser rwxl,
audit deny /etc/apparmor.d/libvirt/** wxl,
audit deny /sys/kernel/security/apparmor/features rwxl,
audit deny /sys/kernel/security/apparmor/matching rwxl,
audit deny /sys/kernel/security/apparmor/.* rwxl,
/sys/kernel/security/apparmor/profiles r,
/usr/lib/libvirt/virt-aa-helper Pxr,
# allow changing to our UUID-based named profiles
change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
}
Reference in New Issue View Git Blame Copy Permalink