# Last Modified: Mon Aug 17 19:31:37 2020
@{LIBVIRT} = libvirt

#include <tunables/global>

profile libvirtd /usr/sbin/libvirtd flags=(attach_disconnected) {
  #include <abstractions/base>
  #include <abstractions/dbus>
  #include <local/usr.sbin.libvirtd>

  capability audit_write,
  capability chown,
  capability dac_override,
  capability dac_read_search,
  capability fowner,
  capability fsetid,
  capability ipc_lock,
  capability kill,
  capability mknod,
  capability net_admin,
  capability net_raw,
  capability setgid,
  capability setpcap,
  capability setuid,
  capability sys_admin,
  capability sys_chroot,
  capability sys_module,
  capability sys_nice,
  capability sys_pacct,
  capability sys_ptrace,
  capability sys_resource,

  network inet dgram,
  network inet stream,
  network inet6 dgram,
  network inet6 stream,
  network netlink raw,
  network packet dgram,
  network packet raw,
  network unix dgram,

  mount options=(rw,rslave)  -> /,
  mount options=(rw, nosuid) -> /{var/,}run/libvirt/qemu/*.dev/,
  mount options=(rw, move) /dev/ -> /{,var/}run/libvirt/qemu/*.dev/,
  mount options=(rw, move) /dev/** -> /{,var/}run/libvirt/qemu/*{,/},
  mount options=(rw, move) /{,var/}run/libvirt/qemu/*.dev/ -> /dev/,
  mount options=(rw, move) /{,var/}run/libvirt/qemu/*{,/} -> /dev/**,

  signal (read send) peer=libvirt-*,
  signal (read send) peer=unconfined,
  signal send peer=/usr/sbin/dnsmasq,
  signal send peer=dnsmasq,
  signal send set=(kill term) peer=unconfined,
  signal send set=term peer=libvirtd//qemu_bridge_helper,

  ptrace (read trace) peer=/usr/sbin/dnsmasq,
  ptrace (read trace) peer=@{profile_name},
  ptrace (read trace) peer=dnsmasq,
  ptrace (read trace) peer=libvirt-*,
  ptrace (read trace) peer=unconfined,

  unix (send, receive) type=stream addr=none peer=(label=unconfined addr=none),
  unix (send, receive) type=stream addr=none peer=(label=libvirtd//qemu_bridge_helper),
  unix (send, receive) type=stream addr=none peer=(label=libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*),
  unix (send, receive) type=stream addr=none peer=(label=unconfined),

  audit deny /etc/apparmor.d/libvirt/** wlx,
  audit deny /sys/kernel/security/apparmor/.* rwlx,
  audit deny /sys/kernel/security/apparmor/features rwlx,
  audit deny /sys/kernel/security/apparmor/matching rwlx,
  audit deny /{usr/,}sbin/apparmor_parser rwlx,

  / r,
  /** mrwlk,
  /bin/* PUx,
  /etc/libvirt/hooks/** mrix,
  /etc/xen/scripts/** mrix,
  /sbin/* PUx,
  /sys/kernel/security/apparmor/profiles r,
  /usr/bin/* PUx,
  /usr/lib/xen-*/bin/libxl-save-helper PUx,
  /usr/lib/xen-*/bin/pygrub PUx,
  /usr/sbin/* PUx,
  /usr/sbin/virtlogd pix,
  /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
  /usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu PUx,
  /usr/{lib,lib64}/libvirt/* rPUx,
  /usr/{lib,lib64}/libvirt/libvirt_iohelper ix,
  /usr/{lib,lib64}/libvirt/libvirt_parthelper ix,
  /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
  /usr/{lib,lib64}/xen/bin/* Ux,
  /var/lib/libvirt/virtd* rix,
  /{usr/,}lib/udev/scsi_id PUx,

  change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,


  profile qemu_bridge_helper {
    #include <abstractions/base>

    capability net_admin,
    capability setgid,
    capability setpcap,
    capability setuid,

    network inet stream,

    signal receive set=term peer=/usr/sbin/libvirtd,
    signal receive set=term peer=libvirtd,

    unix (send, receive) type=stream addr=none peer=(label=libvirtd),

    /dev/net/tun rw,
    /etc/qemu/** r,
    /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper mrix,
    owner @{PROC}/*/status r,

  }
}