Merge profiles: add a systemd-detect-virt profile

Signed-off-by: Ryan Lee <ryan.lee@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1640 Approved-by: Maxime Bélair <maxime.belair@canonical.com> Merged-by: Maxime Bélair <maxime.belair@canonical.com>
2025-08-22 01:57:43 +00:00 · 2025-05-12 13:47:22 +00:00 · 2025-05-12 13:47:22 +00:00 · 8652b61f67
commit 8652b61f67
parent 2800aaedd0 fa2d082741
1 changed files with 80 additions and 0 deletions
--- a/profiles/apparmor.d/systemd-detect-virt
+++ b/profiles/apparmor.d/systemd-detect-virt
@ -0,0 +1,80 @@
+abi <abi/4.0>,
+
+include <tunables/global>
+
+profile systemd-detect-virt /usr/bin/systemd-detect-virt {
+  include <abstractions/base>
+  
+  /usr/bin/systemd-detect-virt mr,
+  
+  # Not using @{run}, etc. because all the paths below are hardcoded absolute prefixes
+  # F_OK and access(2) not mediated but still note these in case we need to do something with them later
+
+  ## systemd/src/basic/virt.c:detect_container
+  #/proc/{vz,bc} r, # F_OK
+
+  /proc/sys/kernel/osrelease r,
+  # /proc/self/status -> /proc/@{TracerPid}/comm -> startswith("proot")
+  /proc/@{pid}/status r,
+  /proc/@{pids}/comm r,
+
+  /run/host/container-manager r,
+
+  /run/systemd/container r,
+  # Check env vars of non-systemd init, which (according to source comment) needs CAP_SYS_PTRACE
+  /proc/1/environ r,
+  capability sys_ptrace,
+  # peer=systemd itself but unfortunately we can't be more fine-grained than this
+  ptrace read peer=unconfined,
+
+  # systemd/src/basic/virt.c:detect_container_files
+  #/run/.containerenv r, # F_OK
+  #/.dockerenv r, # F_OK
+  # systemd/src/basic/virt.c:running_in_pidns -> systemd/src/basic/namespace-util.c:namespace_is_init
+  /proc/sys/kernel/cap_last_cap r,
+  /proc/filesystems r,
+  /proc/@{pid}/{g,u}id_map r,
+  #/proc/ns/pid/ r, # stat
+  # Unsure if /proc/ r, is needed for checking whether /proc/ is set up
+  #/proc/@{pid}/ns/cgroup r, # F_OK
+  #/sys/fs/cgroup/ r, # statfs
+  #/sys/fs/cgroup/cgroup.events r, # F_OK
+  
+  ## systemd/src/basic/virt.c:detect_vm
+  # detect_vm_dmi -> detect_vm_dmi_vendor
+  # /sys/class/dmi/id is symlink to /sys/devices/virtual/dmi/id
+  /sys/devices/virtual/dmi/id/{product_name,sys_vendor,board_vendor,bios_vendor,product_version} r,
+  # detect_vm_dmi -> detect_vm_smbios
+  /sys/firmware/dmi/entries/0-0/raw r,
+  # detect_vm_uml
+  /proc/cpuinfo r,
+  # detect_vm_xen
+  #/proc/xen r, # F_OK
+  # detect_vm_xen -> detect_vm_xen_dom0
+  /sys/hypervisor/properties/features r,
+  /proc/xen/capabilities r,
+  # detect_vm_cpuid uses the cpuid instruction and doesn't need rules
+  # detect_vm_hypervisor
+  /sys/hypervisor/type r,
+  # detect_vm_device_tree
+  /proc/device-tree/hypervisor/compatible r,
+  #"/proc/device-tree/ibm,partition-name" r, # F_OK
+  #"/proc/device-tree/hmc-managed?" r, # F_OK
+  #"/proc/device-tree/chosen/qemu,graphic-width" r, #F_OK
+  /proc/device-tree/ r, # FOREACH_DIRENT looking for /proc/device-tree/*fw-cfg*
+  /proc/device-tree/compatible r,
+  # detect_vm_zvm
+  /proc/sysinfo r,
+
+  ##systemd/src/basic/confidential-virt.c:detect_confidential_virtualization
+  # defined(__x86_64__)
+  # detect_sev -> msr
+  /dev/cpu/0/msr r,
+  # detect_tdx has no accesses
+  # defined(__s390x__)
+  /sys/firmware/uv/prot_virt_guest r,
+  # defined(__aarch64__)
+  #/sys/devices/platform/arm-cca-dev r, # F_OK
+  
+  include if exists <local/systemd-detect-virt>
+}