# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/3.0>,

include <tunables/global>

@{exec_path}  = /{usr/,}sbin/kvm-ok
profile kvm-ok @{exec_path} {
  include <abstractions/base>

  @{exec_path} r,
  /{usr/,}bin/{,ba,da}sh rix,

  /{usr/,}bin/uname      rix,
  /{usr/,}bin/{,e}grep   rix,
  /{usr/,}bin/id         rix,

  /{usr/,}bin/kmod       rCx -> kmod,

  /{usr/,}sbin/rdmsr     rPx,

  #/proc/cpuinfo r,
  #/dev/kvm r,
  #/dev/cpu/[0-9]*/msr r,

  # For shell pwd
  /root/ r,


  profile kmod {
    include <abstractions/base>

    /{usr/,}bin/kmod mr,

    /etc/modprobe.d/ r,
    /etc/modprobe.d/*.conf r,
    /{usr/,}lib/modprobe.d/ r,
    /{usr/,}lib/modprobe.d/*.conf r,

    @{PROC}/cmdline r,

  }

  include if exists <local/kvm-ok>
}