-
-
Notifications
You must be signed in to change notification settings - Fork 165
/
instance_qemu.go
106 lines (91 loc) · 3.33 KB
/
instance_qemu.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
package apparmor
import (
"text/template"
)
var qemuProfileTpl = template.Must(template.New("qemuProfile").Parse(`#include <tunables/global>
profile "{{ .name }}" flags=(attach_disconnected,mediate_deleted) {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/nameservice>
capability dac_override,
capability dac_read_search,
capability ipc_lock,
capability setgid,
capability setuid,
capability sys_chroot,
capability sys_resource,
# Needed by qemu
/dev/hugepages/** rw,
/dev/kvm rw,
/dev/net/tun rw,
/dev/ptmx rw,
/dev/sev rw,
/dev/vfio/** rw,
/dev/vhost-net rw,
/dev/vhost-vsock rw,
/etc/ceph/** r,
/run/udev/data/* r,
/sys/bus/ r,
/sys/bus/nd/devices/ r,
/sys/bus/usb/devices/ r,
/sys/bus/usb/devices/** r,
/sys/class/ r,
/sys/devices/** r,
/sys/module/vhost/** r,
/tmp/lxd_sev_* r,
/{,usr/}bin/qemu* mrix,
{{ .ovmfPath }}/OVMF_CODE.fd kr,
{{ .ovmfPath }}/OVMF_CODE.*.fd kr,
/usr/share/qemu/** kr,
/usr/share/seabios/** kr,
owner @{PROC}/@{pid}/cpuset r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
{{ .rootPath }}/etc/nsswitch.conf r,
{{ .rootPath }}/etc/passwd r,
{{ .rootPath }}/etc/group r,
@{PROC}/version r,
# Used by qemu for live migration NBD server and client
unix (bind, listen, accept, send, receive, connect) type=stream,
# Used by qemu when inside a container
{{- if .userns }}
unix (send, receive) type=stream,
{{- end }}
# Instance specific paths
{{ .logPath }}/** rwk,
{{ .path }}/** rwk,
{{ .devicesPath }}/** rwk,
# Needed for lxd fork commands
{{ .exePath }} mr,
@{PROC}/@{pid}/cmdline r,
{{ .rootPath }}/{etc,lib,usr/lib}/os-release r,
# Things that we definitely don't need
deny @{PROC}/@{pid}/cgroup r,
deny /sys/module/apparmor/parameters/enabled r,
deny /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
{{- if .snap }}
# The binary itself (for nesting)
/var/snap/lxd/common/lxd.debug mr,
/snap/lxd/*/bin/lxd mr,
/snap/lxd/*/bin/qemu* mrix,
/snap/lxd/*/share/qemu/** kr,
# Snap-specific paths
/var/snap/lxd/common/ceph/** r,
/var/snap/microceph/*/conf/** r,
{{ .rootPath }}/etc/ceph/** r,
{{ .rootPath }}/run/systemd/resolve/stub-resolv.conf r,
{{ .rootPath }}/run/systemd/resolve/resolv.conf r,
# Snap-specific libraries
/snap/lxd/*/lib/**.so* mr,
{{- end }}
{{if .libraryPath -}}
# Entries from LD_LIBRARY_PATH
{{range $index, $element := .libraryPath}}
{{$element}}/** mr,
{{- end }}
{{- end }}
{{- if .raw }}
### Configuration: raw.apparmor
{{ .raw }}
{{- end }}
}
`))