Merge pull request #12687 from simondeziel/qemu-aa-profile

Tighten up QEMU Apparmor profile
canonical · Jan 18, 2024 · 35a988f · 35a988f
2 parents 431ad46 + ce24649
commit 35a988f
Showing 1 changed file with 3 additions and 8 deletions.
diff --git a/lxd/apparmor/instance_qemu.go b/lxd/apparmor/instance_qemu.go
@@ -38,7 +38,7 @@ profile "{{ .name }}" flags=(attach_disconnected,mediate_deleted) {
   /sys/devices/**                           r,
   /sys/module/vhost/**                      r,
   /tmp/lxd_sev_*                            r,
-  /{,usr/}bin/qemu*                         mrix,
+  /{,usr/}bin/qemu-system-*                 mrix,
   {{ .ovmfPath }}/OVMF_CODE.fd              kr,
   {{ .ovmfPath }}/OVMF_CODE.*.fd            kr,
   /usr/share/qemu/**                        kr,
@@ -50,14 +50,9 @@ profile "{{ .name }}" flags=(attach_disconnected,mediate_deleted) {
   {{ .rootPath }}/etc/group                 r,
   @{PROC}/version                           r,
 
-  # Used by qemu for live migration NBD server and client
+  # Used by qemu for live migration NBD server and client or when in a container
   unix (bind, listen, accept, send, receive, connect) type=stream,
 
-  # Used by qemu when inside a container
-{{- if .userns }}
-  unix (send, receive) type=stream,
-{{- end }}
-
   # Instance specific paths
   {{ .logPath }}/** rwk,
   {{ .path }}/** rwk,
@@ -77,7 +72,7 @@ profile "{{ .name }}" flags=(attach_disconnected,mediate_deleted) {
   # The binary itself (for nesting)
   /var/snap/lxd/common/lxd.debug            mr,
   /snap/lxd/*/bin/lxd                       mr,
-  /snap/lxd/*/bin/qemu*                     mrix,
+  /snap/lxd/*/bin/qemu-system-*             mrix,
   /snap/lxd/*/share/qemu/**                 kr,
 
   # Snap-specific paths