#include #include #include # required for reading disk images capability dac_override, capability dac_read_search, capability chown, # needed to drop privileges capability setgid, capability setuid, network inet stream, network inet6 stream, ptrace (readby, tracedby) peer=libvirtd, ptrace (readby, tracedby) peer=/usr/sbin/libvirtd, signal (receive) peer=libvirtd, signal (receive) peer=/usr/sbin/libvirtd, /dev/kvm rw, /dev/net/tun rw, /dev/ptmx rw, @{PROC}/*/status r, # When qemu is signaled to terminate, it will read cmdline of signaling # process for reporting purposes. Allowing read access to a process # cmdline may leak sensitive information embedded in the cmdline. @{PROC}/@{pid}/cmdline r, # Per man(5) proc, the kernel enforces that a thread may # only modify its comm value or those in its thread group. owner @{PROC}/@{pid}/task/@{tid}/comm rw, @{PROC}/sys/kernel/cap_last_cap r, @{PROC}/sys/vm/overcommit_memory r, # detect hardware capabilities via qemu_getauxval owner @{PROC}/*/auxv r, # For hostdev access. The actual devices will be added dynamically /sys/bus/usb/devices/ r, /sys/devices/**/usb[0-9]*/** r, # libusb needs udev data about usb devices (~equal to content of lsusb -v) /run/udev/data/+usb* r, /run/udev/data/c16[6,7]* r, /run/udev/data/c18[0,8,9]* r, # WARNING: this gives the guest direct access to host hardware and specific # portions of shared memory. This is required for sound using ALSA with kvm, # but may constitute a security risk. If your environment does not require # the use of sound in your VMs, feel free to comment out or prepend 'deny' to # the rules for files in /dev. /dev/snd/* rw, /{dev,run}/shm r, /{dev,run}/shmpulse-shm* r, /{dev,run}/shmpulse-shm* rwk, capability ipc_lock, # spice owner /{dev,run}/shm/spice.* rw, # 'kill' is not required for sound and is a security risk. Do not enable # unless you absolutely need it. deny capability kill, # Uncomment the following if you need access to /dev/fb* #/dev/fb* rw, /etc/pulse/client.conf r, @{HOME}/.pulse-cookie rwk, owner /root/.pulse-cookie rwk, owner /root/.pulse/ rw, owner /root/.pulse/* rw, /usr/share/alsa/** r, owner /tmp/pulse-*/ rw, owner /tmp/pulse-*/* rw, /var/lib/dbus/machine-id r, # access to firmware's etc /usr/share/AAVMF/** r, /usr/share/bochs/** r, /usr/share/edk2-ovmf/** r, /usr/share/kvm/** r, /usr/share/misc/sgabios.bin r, /usr/share/openbios/** r, /usr/share/openhackware/** r, /usr/share/OVMF/** r, /usr/share/ovmf/** r, /usr/share/proll/** r, /usr/share/qemu-efi/** r, /usr/share/qemu-kvm/** r, /usr/share/qemu/** r, /usr/share/seabios/** r, /usr/share/sgabios/** r, /usr/share/slof/** r, /usr/share/vgabios/** r, # pki for libvirt-vnc and libvirt-spice (LP: #901272, #1690140) /etc/pki/CA/ r, /etc/pki/CA/* r, /etc/pki/libvirt{,-spice,-vnc}/ r, /etc/pki/libvirt{,-spice,-vnc}/** r, /etc/pki/qemu/ r, /etc/pki/qemu/** r, # the various binaries /usr/bin/kvm rmix, /usr/bin/kvm-spice rmix, /usr/bin/qemu rmix, /usr/bin/qemu-aarch64 rmix, /usr/bin/qemu-alpha rmix, /usr/bin/qemu-arm rmix, /usr/bin/qemu-armeb rmix, /usr/bin/qemu-cris rmix, /usr/bin/qemu-i386 rmix, /usr/bin/qemu-kvm rmix, /usr/bin/qemu-m68k rmix, /usr/bin/qemu-microblaze rmix, /usr/bin/qemu-microblazeel rmix, /usr/bin/qemu-mips rmix, /usr/bin/qemu-mips64 rmix, /usr/bin/qemu-mips64el rmix, /usr/bin/qemu-mipsel rmix, /usr/bin/qemu-mipsn32 rmix, /usr/bin/qemu-mipsn32el rmix, /usr/bin/qemu-or32 rmix, /usr/bin/qemu-ppc rmix, /usr/bin/qemu-ppc64 rmix, /usr/bin/qemu-ppc64abi32 rmix, /usr/bin/qemu-ppc64le rmix, /usr/bin/qemu-s390x rmix, /usr/bin/qemu-sh4 rmix, /usr/bin/qemu-sh4eb rmix, /usr/bin/qemu-sparc rmix, /usr/bin/qemu-sparc32plus rmix, /usr/bin/qemu-sparc64 rmix, /usr/bin/qemu-system-aarch64 rmix, /usr/bin/qemu-system-alpha rmix, /usr/bin/qemu-system-arm rmix, /usr/bin/qemu-system-cris rmix, /usr/bin/qemu-system-hppa rmix, /usr/bin/qemu-system-i386 rmix, /usr/bin/qemu-system-lm32 rmix, /usr/bin/qemu-system-m68k rmix, /usr/bin/qemu-system-microblaze rmix, /usr/bin/qemu-system-microblazeel rmix, /usr/bin/qemu-system-mips rmix, /usr/bin/qemu-system-mips64 rmix, /usr/bin/qemu-system-mips64el rmix, /usr/bin/qemu-system-mipsel rmix, /usr/bin/qemu-system-moxie rmix, /usr/bin/qemu-system-nios2 rmix, /usr/bin/qemu-system-or1k rmix, /usr/bin/qemu-system-or32 rmix, /usr/bin/qemu-system-ppc rmix, /usr/bin/qemu-system-ppc64 rmix, /usr/bin/qemu-system-ppcemb rmix, /usr/bin/qemu-system-riscv32 rmix, /usr/bin/qemu-system-riscv64 rmix, /usr/bin/qemu-system-s390x rmix, /usr/bin/qemu-system-sh4 rmix, /usr/bin/qemu-system-sh4eb rmix, /usr/bin/qemu-system-sparc rmix, /usr/bin/qemu-system-sparc64 rmix, /usr/bin/qemu-system-tricore rmix, /usr/bin/qemu-system-unicore32 rmix, /usr/bin/qemu-system-x86_64 rmix, /usr/bin/qemu-system-xtensa rmix, /usr/bin/qemu-system-xtensaeb rmix, /usr/bin/qemu-unicore32 rmix, /usr/bin/qemu-x86_64 rmix, # for Debian/Ubuntu qemu-block-extra / RPMs qemu-block-* (LP: #1554761) /usr/{lib,lib64}/qemu/*.so mr, /usr/lib/@{multiarch}/qemu/*.so mr, # let qemu load old shared objects after upgrades (LP: #1847361) /{var/,}run/qemu/*/*.so mr, # but explicitly deny writing to these files audit deny /{var/,}run/qemu/*/*.so w, # swtpm /{usr/,}bin/swtpm rmix, /usr/{lib,lib64}/libswtpm_libtpms.so mr, /usr/lib/@{multiarch}/libswtpm_libtpms.so mr, # for save and resume /{usr/,}bin/dash rmix, /{usr/,}bin/dd rmix, /{usr/,}bin/cat rmix, # for restore /{usr/,}bin/bash rmix, # for usb access /dev/bus/usb/ r, /etc/udev/udev.conf r, /sys/bus/ r, /sys/class/ r, # for rbd /etc/ceph/ceph.conf r, # Various functions will need to enumerate /tmp (e.g. ceph), allow the base # dir and a few known functions like samba support. # We want to avoid to give blanket rw permission to everything under /tmp, # users are expected to add site specific addons for more uncommon cases. # Qemu processes usually all run as the same users, so the "owner" # restriction prevents access to other services files, but not across # different instances. # This is a tradeoff between usability and security - if paths would be more # predictable that would be preferred - at least for write rules we would # want more unique paths per rule. /{,var/}tmp/ r, owner /{,var/}tmp/**/ r, # for file-posix getting limits since 9103f1ce /sys/devices/**/block/*/queue/max_segments r, # for ppc device-tree access @{PROC}/device-tree/ r, @{PROC}/device-tree/** r, /sys/firmware/devicetree/** r, # allow connect with openGraphicsFD to work unix (send, receive) type=stream addr=none peer=(label=libvirtd), unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd), # for gathering information about available host resources /sys/devices/system/cpu/ r, /sys/devices/system/node/ r, /sys/devices/system/node/node[0-9]*/meminfo r, /sys/module/vhost/parameters/max_mem_regions r, # silence refusals to open lttng files (see LP: #1432644) deny /dev/shm/lttng-ust-wait-* r, deny /run/shm/lttng-ust-wait-* r, # for vfio hotplug on systems without static vfio (LP: #1775777) /dev/vfio/vfio rw, # required for sasl GSSAPI plugin /etc/gss/mech.d/ r, /etc/gss/mech.d/* r, # required by libpmem init to fts_open()/fts_read() the symlinks in # /sys/bus/nd/devices / r, # harmless on any lsb compliant system /sys/bus/nd/devices/{,**/} r, # Site-specific additions and overrides. See local/README for details. #include