From d4c975ad30906b96867863538f34f6e2db4e9752 Mon Sep 17 00:00:00 2001
From: Simon Deziel <simon.deziel@canonical.com>
Date: Tue, 19 Dec 2023 09:44:10 -0500
Subject: [PATCH 1/2] lxd/apparmor/instance_qemu: only allow QEMU system
 emulator

LXD executes `qemu-system-$(uname -m)` so the Apparmor profile can
be tighten up to prevent the execution of other binaries starting
with the `qemu` prefix. In the snap case, there is one such binary,
`qemu-img`.

Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
---
 lxd/apparmor/instance_qemu.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lxd/apparmor/instance_qemu.go b/lxd/apparmor/instance_qemu.go
index dd7a73dad092..fa9f424992db 100644
--- a/lxd/apparmor/instance_qemu.go
+++ b/lxd/apparmor/instance_qemu.go
@@ -38,7 +38,7 @@ profile "{{ .name }}" flags=(attach_disconnected,mediate_deleted) {
   /sys/devices/**                           r,
   /sys/module/vhost/**                      r,
   /tmp/lxd_sev_*                            r,
-  /{,usr/}bin/qemu*                         mrix,
+  /{,usr/}bin/qemu-system-*                 mrix,
   {{ .ovmfPath }}/OVMF_CODE.fd              kr,
   {{ .ovmfPath }}/OVMF_CODE.*.fd            kr,
   /usr/share/qemu/**                        kr,
@@ -77,7 +77,7 @@ profile "{{ .name }}" flags=(attach_disconnected,mediate_deleted) {
   # The binary itself (for nesting)
   /var/snap/lxd/common/lxd.debug            mr,
   /snap/lxd/*/bin/lxd                       mr,
-  /snap/lxd/*/bin/qemu*                     mrix,
+  /snap/lxd/*/bin/qemu-system-*             mrix,
   /snap/lxd/*/share/qemu/**                 kr,
 
   # Snap-specific paths

From ce24649a9164a7eecc4fcc4d9f7ec98bf29b2ec8 Mon Sep 17 00:00:00 2001
From: Simon Deziel <simon.deziel@canonical.com>
Date: Wed, 20 Dec 2023 12:59:28 -0500
Subject: [PATCH 2/2] lxd/apparmor/instance_qemu: remove partial duplication of
 unix rule

Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
---
 lxd/apparmor/instance_qemu.go | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/lxd/apparmor/instance_qemu.go b/lxd/apparmor/instance_qemu.go
index fa9f424992db..b4de218f6f1a 100644
--- a/lxd/apparmor/instance_qemu.go
+++ b/lxd/apparmor/instance_qemu.go
@@ -50,14 +50,9 @@ profile "{{ .name }}" flags=(attach_disconnected,mediate_deleted) {
   {{ .rootPath }}/etc/group                 r,
   @{PROC}/version                           r,
 
-  # Used by qemu for live migration NBD server and client
+  # Used by qemu for live migration NBD server and client or when in a container
   unix (bind, listen, accept, send, receive, connect) type=stream,
 
-  # Used by qemu when inside a container
-{{- if .userns }}
-  unix (send, receive) type=stream,
-{{- end }}
-
   # Instance specific paths
   {{ .logPath }}/** rwk,
   {{ .path }}/** rwk,