# Last Modified: Mon Apr  5 15:10:27 2010
#include <tunables/global>

profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/user-tmp>

  # needed for searching directories
  capability dac_override,
  capability dac_read_search,

  # needed for when disk is on a network filesystem
  network inet,
  network inet6,

  deny @{PROC}/[0-9]*/mounts r,
  @{PROC}/[0-9]*/net/psched r,
  owner @{PROC}/[0-9]*/status r,
  @{PROC}/filesystems r,

  /etc/libnl-3/classid r,

  # for hostdev
  /sys/devices/ r,
  /sys/devices/** r,
  /sys/bus/usb/devices/ r,
  deny /dev/sd* r,
  deny /dev/vd* r,
  deny /dev/dm-* r,
  deny /dev/drbd[0-9]* r,
  deny /dev/dasd* r,
  deny /dev/nvme* r,
  deny /dev/zd[0-9]* r,
  deny /dev/mapper/ r,
  deny /dev/mapper/* r,

  /usr/{lib,lib64}/libvirt/virt-aa-helper mr,
  /{usr/,}sbin/apparmor_parser Ux,

  # for openvswitch
  /{,var/}run/** rw,

  /etc/apparmor.d/libvirt/* r,
  /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,

  # for backingstore -- allow access to non-hidden files in @{HOME} as well
  # as storage pools
  audit deny @{HOME}/.* mrwkl,
  audit deny @{HOME}/.*/ rw,
  audit deny @{HOME}/.*/** mrwkl,
  audit deny @{HOME}/bin/ rw,
  audit deny @{HOME}/bin/** mrwkl,
  @{HOME}/ r,
  @{HOME}/** r,
  /var/lib/libvirt/images/ r,
  /var/lib/libvirt/images/** r,
  # nova base images (LP: #907269)
  /var/lib/nova/images/** r,
  /var/lib/nova/instances/_base/** r,
  # nova snapshots (LP: #1244694)
  /var/lib/nova/instances/snapshots/** r,
  # nova base/snapshot files in snapped nova (LP: #1644507)
  /var/snap/nova-hypervisor/common/instances/_base/** r,
  /var/snap/nova-hypervisor/common/instances/snapshots/** r,
  # eucalyptus (LP: #564914)
  /var/lib/eucalyptus/instances/**/disk* r,
  # eucalyptus loader (LP: #637544)
  /var/lib/eucalyptus/instances/**/loader* r,
  # for uvtool
  /var/lib/uvtool/libvirt/images/** r,
  # for multipass
  /var/snap/multipass/common/data/multipassd/vault/instances/** r,
  /{media,mnt,opt,srv}/** r,
  # For virt-sandbox
  /{,var/}run/libvirt/**/[sv]d[a-z] r,

  /**.img r,
  /**.raw r,
  /**.qcow{,2} r,
  /**.qed r,
  /**.vmdk r,
  /**.[iI][sS][oO] r,
  /**/disk{,.*} r,

  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.lib.libvirt.virt-aa-helper>
}