mirror of
https://gitlab.com/apparmor/apparmor
synced 2025-08-22 10:07:12 +00:00
81 lines
2.7 KiB
Plaintext
81 lines
2.7 KiB
Plaintext
|
abi <abi/4.0>,
|
||
|
|
||
|
include <tunables/global>
|
||
|
|
||
|
profile systemd-detect-virt /usr/bin/systemd-detect-virt {
|
||
|
include <abstractions/base>
|
||
|
|
||
|
/usr/bin/systemd-detect-virt mr,
|
||
|
|
||
|
# Not using @{run}, etc. because all the paths below are hardcoded absolute prefixes
|
||
|
# F_OK and access(2) not mediated but still note these in case we need to do something with them later
|
||
|
|
||
|
## systemd/src/basic/virt.c:detect_container
|
||
|
#/proc/{vz,bc} r, # F_OK
|
||
|
|
||
|
/proc/sys/kernel/osrelease r,
|
||
|
# /proc/self/status -> /proc/@{TracerPid}/comm -> startswith("proot")
|
||
|
/proc/@{pid}/status r,
|
||
|
/proc/@{pids}/comm r,
|
||
|
|
||
|
/run/host/container-manager r,
|
||
|
|
||
|
/run/systemd/container r,
|
||
|
# Check env vars of non-systemd init, which (according to source comment) needs CAP_SYS_PTRACE
|
||
|
/proc/1/environ r,
|
||
|
capability sys_ptrace,
|
||
|
# peer=systemd itself but unfortunately we can't be more fine-grained than this
|
||
|
ptrace read peer=unconfined,
|
||
|
|
||
|
# systemd/src/basic/virt.c:detect_container_files
|
||
|
#/run/.containerenv r, # F_OK
|
||
|
#/.dockerenv r, # F_OK
|
||
|
# systemd/src/basic/virt.c:running_in_pidns -> systemd/src/basic/namespace-util.c:namespace_is_init
|
||
|
/proc/sys/kernel/cap_last_cap r,
|
||
|
/proc/filesystems r,
|
||
|
/proc/@{pid}/{g,u}id_map r,
|
||
|
#/proc/ns/pid/ r, # stat
|
||
|
# Unsure if /proc/ r, is needed for checking whether /proc/ is set up
|
||
|
#/proc/@{pid}/ns/cgroup r, # F_OK
|
||
|
#/sys/fs/cgroup/ r, # statfs
|
||
|
#/sys/fs/cgroup/cgroup.events r, # F_OK
|
||
|
|
||
|
## systemd/src/basic/virt.c:detect_vm
|
||
|
# detect_vm_dmi -> detect_vm_dmi_vendor
|
||
|
# /sys/class/dmi/id is symlink to /sys/devices/virtual/dmi/id
|
||
|
/sys/devices/virtual/dmi/id/{product_name,sys_vendor,board_vendor,bios_vendor,product_version} r,
|
||
|
# detect_vm_dmi -> detect_vm_smbios
|
||
|
/sys/firmware/dmi/entries/0-0/raw r,
|
||
|
# detect_vm_uml
|
||
|
/proc/cpuinfo r,
|
||
|
# detect_vm_xen
|
||
|
#/proc/xen r, # F_OK
|
||
|
# detect_vm_xen -> detect_vm_xen_dom0
|
||
|
/sys/hypervisor/properties/features r,
|
||
|
/proc/xen/capabilities r,
|
||
|
# detect_vm_cpuid uses the cpuid instruction and doesn't need rules
|
||
|
# detect_vm_hypervisor
|
||
|
/sys/hypervisor/type r,
|
||
|
# detect_vm_device_tree
|
||
|
/proc/device-tree/hypervisor/compatible r,
|
||
|
#"/proc/device-tree/ibm,partition-name" r, # F_OK
|
||
|
#"/proc/device-tree/hmc-managed?" r, # F_OK
|
||
|
#"/proc/device-tree/chosen/qemu,graphic-width" r, #F_OK
|
||
|
/proc/device-tree/ r, # FOREACH_DIRENT looking for /proc/device-tree/*fw-cfg*
|
||
|
/proc/device-tree/compatible r,
|
||
|
# detect_vm_zvm
|
||
|
/proc/sysinfo r,
|
||
|
|
||
|
##systemd/src/basic/confidential-virt.c:detect_confidential_virtualization
|
||
|
# defined(__x86_64__)
|
||
|
# detect_sev -> msr
|
||
|
/dev/cpu/0/msr r,
|
||
|
# detect_tdx has no accesses
|
||
|
# defined(__s390x__)
|
||
|
/sys/firmware/uv/prot_virt_guest r,
|
||
|
# defined(__aarch64__)
|
||
|
#/sys/devices/platform/arm-cca-dev r, # F_OK
|
||
|
|
||
|
include if exists <local/systemd-detect-virt>
|
||
|
}
|