libvirt-bin 1.3.1-1ubuntu10 / etc / apparmor.d / abstractions / libvirt-qemu

This file is indexed.

/etc/apparmor.d/abstractions/libvirt-qemu is in libvirt-bin 1.3.1-1ubuntu10.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
# Last Modified: Wed Jul  8 09:57:41 2009

  #include <abstractions/base>
  #include <abstractions/consoles>
  #include <abstractions/nameservice>

  # required for reading disk images
  capability dac_override,
  capability dac_read_search,
  capability chown,

  # needed to drop privileges
  capability setgid,
  capability setuid,

  # this is needed with libcap-ng support, however it breaks a lot of things
  # atm, so just silence the denial until libcap-ng works right. LP: #522845
  deny capability setpcap,

  network inet stream,
  network inet6 stream,

  /dev/net/tun rw,
  /dev/tap* rw,
  /dev/kvm rw,
  /dev/ptmx rw,
  /dev/kqemu rw,
  @{PROC}/*/status r,
  @{PROC}/sys/kernel/cap_last_cap r,
  owner @{PROC}/*/auxv r,
  @{PROC}/sys/vm/overcommit_memory r,

  /sys/devices/system/node/ r,
  /sys/devices/system/node/node[0-9]*/meminfo r,
  /sys/devices/system/cpu/ r,

  /sys/module/vhost/parameters/max_mem_regions r,

  # For hostdev access. The actual devices will be added dynamically
  /sys/bus/usb/devices/ r,
  /sys/devices/**/usb[0-9]*/** r,

  # WARNING: this gives the guest direct access to host hardware and specific
  # portions of shared memory. This is required for sound using ALSA with kvm,
  # but may constitute a security risk. If your environment does not require
  # the use of sound in your VMs, feel free to comment out or prepend 'deny' to
  # the rules for files in /dev.
  /{dev,run}/shm r,
  /{dev,run}/shmpulse-shm* r,
  /{dev,run}/shmpulse-shm* rwk,
  /dev/snd/* rw,
  capability ipc_lock,
  # spice
  /usr/bin/qemu-system-i386-spice rmix,
  /usr/bin/qemu-system-x86_64-spice rmix,
  /{dev,run}/shm/ r,
  owner /{dev,run}/shm/spice.* rw,
  # 'kill' is not required for sound and is a security risk. Do not enable
  # unless you absolutely need it.
  deny capability kill,

  # Uncomment the following if you need access to /dev/fb*
  #/dev/fb* rw,

  /etc/pulse/client.conf r,
  @{HOME}/.pulse-cookie rwk,
  owner /root/.pulse-cookie rwk,
  owner /root/.pulse/ rw,
  owner /root/.pulse/* rw,
  /usr/share/alsa/** r,
  owner /tmp/pulse-*/ rw,
  owner /tmp/pulse-*/* rw,
  /var/lib/dbus/machine-id r,

  # access to firmware's etc
  /usr/share/kvm/** r,
  /usr/share/qemu/** r,
  /usr/share/bochs/** r,
  /usr/share/openbios/** r,
  /usr/share/openhackware/** r,
  /usr/share/proll/** r,
  /usr/share/vgabios/** r,
  /usr/share/seabios/** r,
  /usr/share/misc/sgabios.bin r,
  /usr/share/ovmf/** r,
  /usr/share/slof/** r,

  # access PKI infrastructure
  /etc/pki/libvirt-vnc/** r,

  # the various binaries
  /usr/bin/kvm rmix,
  /usr/bin/qemu rmix,
  /usr/bin/qemu-system-aarch64 rmix,
  /usr/bin/qemu-system-alpha rmix,
  /usr/bin/qemu-system-arm rmix,
  /usr/bin/qemu-system-cris rmix,
  /usr/bin/qemu-system-i386 rmix,
  /usr/bin/qemu-system-lm32 rmix,
  /usr/bin/qemu-system-m68k rmix,
  /usr/bin/qemu-system-microblaze rmix,
  /usr/bin/qemu-system-microblazeel rmix,
  /usr/bin/qemu-system-mips rmix,
  /usr/bin/qemu-system-mips64 rmix,
  /usr/bin/qemu-system-mips64el rmix,
  /usr/bin/qemu-system-mipsel rmix,
  /usr/bin/qemu-system-moxie rmix,
  /usr/bin/qemu-system-or32 rmix,
  /usr/bin/qemu-system-ppc rmix,
  /usr/bin/qemu-system-ppc64 rmix,
  /usr/bin/qemu-system-ppc64le rmix,
  /usr/bin/qemu-system-ppcemb rmix,
  /usr/bin/qemu-system-s390x rmix,
  /usr/bin/qemu-system-sh4 rmix,
  /usr/bin/qemu-system-sh4eb rmix,
  /usr/bin/qemu-system-sparc rmix,
  /usr/bin/qemu-system-sparc64 rmix,
  /usr/bin/qemu-system-tricore rmix,
  /usr/bin/qemu-system-unicore32 rmix,
  /usr/bin/qemu-system-x86_64 rmix,
  /usr/bin/qemu-system-x86_64-spice rmix,
  /usr/bin/qemu-system-xtensa rmix,
  /usr/bin/qemu-system-xtensaeb rmix,
  /usr/bin/qemu-aarch64 rmix,
  /usr/bin/qemu-alpha rmix,
  /usr/bin/qemu-arm rmix,
  /usr/bin/qemu-armeb rmix,
  /usr/bin/qemu-cris rmix,
  /usr/bin/qemu-i386 rmix,
  /usr/bin/qemu-m68k rmix,
  /usr/bin/qemu-microblaze rmix,
  /usr/bin/qemu-microblazeel rmix,
  /usr/bin/qemu-mips rmix,
  /usr/bin/qemu-mipsel rmix,
  /usr/bin/qemu-mips64 rmix,
  /usr/bin/qemu-mips64el rmix,
  /usr/bin/qemu-mipsn32 rmix,
  /usr/bin/qemu-mipsn32el rmix,
  /usr/bin/qemu-or32 rmix,
  /usr/bin/qemu-ppc rmix,
  /usr/bin/qemu-ppc64 rmix,
  /usr/bin/qemu-ppc64abi32 rmix,
  /usr/bin/qemu-ppc64le rmix,
  /usr/bin/qemu-s390x rmix,
  /usr/bin/qemu-sh4 rmix,
  /usr/bin/qemu-sh4eb rmix,
  /usr/bin/qemu-sparc rmix,
  /usr/bin/qemu-sparc64 rmix,
  /usr/bin/qemu-sparc32plus rmix,
  /usr/bin/qemu-sparc64 rmix,
  /usr/bin/qemu-unicore32 rmix,
  /usr/bin/qemu-x86_64 rmix,

  # for save and resume
  /bin/dash rmix,
  /bin/dd rmix,
  /bin/cat rmix,
  /etc/pki/CA/ r,
  /etc/pki/CA/* r,
  /etc/pki/libvirt/ r,
  /etc/pki/libvirt/** r,

  # kvm.powerpc executes this
  /bin/uname rmix,

  # for rbd
  /etc/ceph/ceph.conf r,

  # for qemu-block-extra
  /usr/lib/@{multiarch}/qemu/*.so rm,

  # for access to hugepages
  owner "/run/hugepages/kvm/libvirt/qemu/**" rw,
  owner "/dev/hugepages/libvirt/qemu/**" rw,

  # for usb access
  /dev/bus/usb/ r,
  /etc/udev/udev.conf r,
  /sys/bus/ r,
  /sys/class/ r,

  signal (receive) peer=/usr/sbin/libvirtd,
  ptrace (tracedby) peer=/usr/sbin/libvirtd,

  # for ppc device-tree access
  @{PROC}/device-tree/ r,
  @{PROC}/device-tree/** r,
  /sys/firmware/devicetree/** r,

  # allow access to charm-specific ceph config (see lp#1403648)
  /var/lib/charm/*/ceph.conf r,
  # silence spurious denials (see lp#1403648)
  deny /tmp/{,**} r,
  deny /var/tmp/{,**} r,

  # silence refusals to open lttng files (see lp#1432644)
  deny /dev/shm/lttng-ust-wait-* r,
  deny /run/shm/lttng-ust-wait-* r,

  # allow serial console backed by pts chardev (LP: #1342083)
  /usr/lib/pt_chown ix,
  owner @{PROC}/0-9*/fd/ r,

  /usr/{lib,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
  # child profile for bridge helper process
  profile qemu_bridge_helper {
   #include <abstractions/base>

   capability setuid,
   capability setgid,
   capability setpcap,
   capability net_admin,

   # for 9p
   capability fsetid,
   capability fowner,

   network inet stream,

   /dev/net/tun rw,
   /etc/qemu/** r,
   owner @{PROC}/*/status r,

   /usr/{lib,libexec}/qemu-bridge-helper rmix,
  }

APT Browse - Built by Thomas Orozco.