# Last Modified: Wed Jul 8 09:57:41 2009 #include #include #include # required for reading disk images capability dac_override, capability dac_read_search, capability chown, # needed to drop privileges capability setgid, capability setuid, # this is needed with libcap-ng support, however it breaks a lot of things # atm, so just silence the denial until libcap-ng works right. LP: #522845 deny capability setpcap, network inet stream, network inet6 stream, /dev/net/tun rw, /dev/kvm rw, /dev/ptmx rw, /dev/kqemu rw, @{PROC}/*/status r, # For hostdev access. The actual devices will be added dynamically /sys/bus/usb/devices/ r, /sys/devices/**/usb[0-9]*/** r, # WARNING: this gives the guest direct access to host hardware and specific # portions of shared memory. This is required for sound using ALSA with kvm, # but may constitute a security risk. If your environment does not require # the use of sound in your VMs, feel free to comment out or prepend 'deny' to # the rules for files in /dev. /{dev,run}/shm r, /{dev,run}/shmpulse-shm* r, /{dev,run}/shmpulse-shm* rwk, /dev/snd/* rw, capability ipc_lock, # 'kill' is not required for sound and is a security risk. Do not enable # unless you absolutely need it. deny capability kill, # Uncomment the following if you need access to /dev/fb* #/dev/fb* rw, /etc/pulse/client.conf r, @{HOME}/.pulse-cookie rwk, owner /root/.pulse-cookie rwk, owner /root/.pulse/ rw, owner /root/.pulse/* rw, /usr/share/alsa/** r, owner /tmp/pulse-*/ rw, owner /tmp/pulse-*/* rw, /var/lib/dbus/machine-id r, # access to firmware's etc /usr/share/kvm/** r, /usr/share/qemu/** r, /usr/share/bochs/** r, /usr/share/openbios/** r, /usr/share/openhackware/** r, /usr/share/proll/** r, /usr/share/vgabios/** r, /usr/share/seabios/** r, # access PKI infrastructure /etc/pki/libvirt-vnc/** r, # the various binaries /usr/bin/kvm rmix, /usr/bin/qemu rmix, /usr/bin/qemu-system-arm rmix, /usr/bin/qemu-system-cris rmix, /usr/bin/qemu-system-i386 rmix, /usr/bin/qemu-system-m68k rmix, /usr/bin/qemu-system-mips rmix, /usr/bin/qemu-system-mips64 rmix, /usr/bin/qemu-system-mips64el rmix, /usr/bin/qemu-system-mipsel rmix, /usr/bin/qemu-system-ppc rmix, /usr/bin/qemu-system-ppc64 rmix, /usr/bin/qemu-system-ppcemb rmix, /usr/bin/qemu-system-sh4 rmix, /usr/bin/qemu-system-sh4eb rmix, /usr/bin/qemu-system-sparc rmix, /usr/bin/qemu-system-sparc64 rmix, /usr/bin/qemu-system-x86_64 rmix, /usr/bin/qemu-alpha rmix, /usr/bin/qemu-arm rmix, /usr/bin/qemu-armeb rmix, /usr/bin/qemu-cris rmix, /usr/bin/qemu-i386 rmix, /usr/bin/qemu-m68k rmix, /usr/bin/qemu-mips rmix, /usr/bin/qemu-mipsel rmix, /usr/bin/qemu-ppc rmix, /usr/bin/qemu-ppc64 rmix, /usr/bin/qemu-ppc64abi32 rmix, /usr/bin/qemu-sh4 rmix, /usr/bin/qemu-sh4eb rmix, /usr/bin/qemu-sparc rmix, /usr/bin/qemu-sparc64 rmix, /usr/bin/qemu-sparc32plus rmix, /usr/bin/qemu-sparc64 rmix, /usr/bin/qemu-x86_64 rmix, # for save and resume /bin/dash rmix, /bin/dd rmix, /bin/cat rmix, # eatmydata / r, /** rwmkl, /bin/* PUx, /sbin/* PUx, /usr/bin/* PUx, /usr/sbin/* PUx, /usr/local/bin/kvm rmix, /usr/share/libeatmydata/eatmydata.sh rmix, /usr/lib/libeatmydata/libeatmydata.so mr,