From a8a560dd3aaa71d343729c699459fe156e382367 Mon Sep 17 00:00:00 2001
From: Jamie Strandboge <jamie@canonical.com>
Date: Fri, 13 Nov 2009 15:19:05 +0100
Subject: [PATCH] AppArmor updates of examples

* examples/apparmor/libvirt-qemu: adds pulseaudio, alsa and preliminary
  save/restore to the example apparmor abstraction
* examples/apparmor/usr.sbin.libvirtd: allows libvirtd access to inet
  dgram, inet6 dgram, inet6 stream and /usr/lib/libvirt/*
---
 examples/apparmor/libvirt-qemu      | 40 ++++++++++++++++++++++++++++-
 examples/apparmor/usr.sbin.libvirtd |  4 +++
 2 files changed, 43 insertions(+), 1 deletion(-)

diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index 6555f85bab..a8c4a84a0f 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -1,4 +1,4 @@
-# Last Modified: Wed Jul  8 09:57:41 2009
+# Last Modified: Fri Nov  6 16:41:59 2009
 
   #include <abstractions/base>
   #include <abstractions/consoles>
@@ -24,6 +24,31 @@
   #/sys/devices/*/*/usb[0-9]*/** r,
   #/dev/bus/usb/*/[0-9]* rw,
 
+  # WARNING: this gives the guest direct access to host hardware and specific
+  # portions of shared memory. This is required for sound using ALSA with kvm,
+  # but may constitute a security risk. If your environment does not require
+  # the use of sound in your VMs, feel free to comment out or prepend 'deny' to
+  # the rules for files in /dev.
+  /dev/shm/ r,
+  /dev/shm/pulse-shm* r,
+  /dev/shm/pulse-shm* rwk,
+  /dev/snd/* rw,
+  capability ipc_lock,
+  # 'kill' is not required for sound and is a security risk. Do not enable
+  # unless you absolutely need it.
+  deny capability kill,
+
+  /etc/pulse/client.conf r,
+  @{HOME}/.pulse-cookie rwk,
+  owner /root/.pulse-cookie rwk,
+  owner /root/.pulse/ rw,
+  owner /root/.pulse/* rw,
+  /usr/share/alsa/** r,
+  owner /tmp/pulse-*/ rw,
+  owner /tmp/pulse-*/* rw,
+  /var/lib/dbus/machine-id r,
+
+  # access to firmware's etc
   /usr/share/kvm/** r,
   /usr/share/qemu/** r,
   /usr/share/bochs/** r,
@@ -69,3 +94,16 @@
   /usr/bin/qemu-sparc32plus rmix,
   /usr/bin/qemu-sparc64 rmix,
   /usr/bin/qemu-x86_64 rmix,
+
+  # for save and resume
+  /bin/dash rmix,
+  /bin/dd rmix,
+  /bin/cat rmix,
+
+  # The svirt driver does not relabel the state file
+  # (https://bugzilla.redhat.com/show_bug.cgi?id=529363) resulting in denied
+  # messages. Uncommenting these lines can work around this somewhat by
+  # allowing users to save state files in the specified directory. We use
+  # 'owner' to make sure we don't overwrite the user's files.
+  #owner @{HOME}/libvirt-state-files/ r,
+  #owner @{HOME}/libvirt-state-files/** rw,
diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
index 47d3916334..5f9fd53cad 100644
--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
@@ -23,6 +23,9 @@
   capability mknod,
 
   network inet stream,
+  network inet dgram,
+  network inet6 stream,
+  network inet6 dgram,
 
   # Very lenient profile for libvirtd since we want to first focus on confining
   # the guests. Guests will have a very restricted profile.
@@ -32,6 +35,7 @@
   /sbin/* Ux,
   /usr/bin/* Ux,
   /usr/sbin/* Ux,
+  /usr/lib/libvirt/* Ux,
 
   # force the use of virt-aa-helper
   audit deny /sbin/apparmor_parser rwxl,
-- 
GitLab