diff --git a/profiles/apparmor.d/systemd-detect-virt b/profiles/apparmor.d/systemd-detect-virt new file mode 100644 index 000000000..a7abb2d2c --- /dev/null +++ b/profiles/apparmor.d/systemd-detect-virt @@ -0,0 +1,80 @@ +abi , + +include + +profile systemd-detect-virt /usr/bin/systemd-detect-virt { + include + + /usr/bin/systemd-detect-virt mr, + + # Not using @{run}, etc. because all the paths below are hardcoded absolute prefixes + # F_OK and access(2) not mediated but still note these in case we need to do something with them later + + ## systemd/src/basic/virt.c:detect_container + #/proc/{vz,bc} r, # F_OK + + /proc/sys/kernel/osrelease r, + # /proc/self/status -> /proc/@{TracerPid}/comm -> startswith("proot") + /proc/@{pid}/status r, + /proc/@{pids}/comm r, + + /run/host/container-manager r, + + /run/systemd/container r, + # Check env vars of non-systemd init, which (according to source comment) needs CAP_SYS_PTRACE + /proc/1/environ r, + capability sys_ptrace, + # peer=systemd itself but unfortunately we can't be more fine-grained than this + ptrace read peer=unconfined, + + # systemd/src/basic/virt.c:detect_container_files + #/run/.containerenv r, # F_OK + #/.dockerenv r, # F_OK + # systemd/src/basic/virt.c:running_in_pidns -> systemd/src/basic/namespace-util.c:namespace_is_init + /proc/sys/kernel/cap_last_cap r, + /proc/filesystems r, + /proc/@{pid}/{g,u}id_map r, + #/proc/ns/pid/ r, # stat + # Unsure if /proc/ r, is needed for checking whether /proc/ is set up + #/proc/@{pid}/ns/cgroup r, # F_OK + #/sys/fs/cgroup/ r, # statfs + #/sys/fs/cgroup/cgroup.events r, # F_OK + + ## systemd/src/basic/virt.c:detect_vm + # detect_vm_dmi -> detect_vm_dmi_vendor + # /sys/class/dmi/id is symlink to /sys/devices/virtual/dmi/id + /sys/devices/virtual/dmi/id/{product_name,sys_vendor,board_vendor,bios_vendor,product_version} r, + # detect_vm_dmi -> detect_vm_smbios + /sys/firmware/dmi/entries/0-0/raw r, + # detect_vm_uml + /proc/cpuinfo r, + # detect_vm_xen + #/proc/xen r, # F_OK + # detect_vm_xen -> detect_vm_xen_dom0 + /sys/hypervisor/properties/features r, + /proc/xen/capabilities r, + # detect_vm_cpuid uses the cpuid instruction and doesn't need rules + # detect_vm_hypervisor + /sys/hypervisor/type r, + # detect_vm_device_tree + /proc/device-tree/hypervisor/compatible r, + #"/proc/device-tree/ibm,partition-name" r, # F_OK + #"/proc/device-tree/hmc-managed?" r, # F_OK + #"/proc/device-tree/chosen/qemu,graphic-width" r, #F_OK + /proc/device-tree/ r, # FOREACH_DIRENT looking for /proc/device-tree/*fw-cfg* + /proc/device-tree/compatible r, + # detect_vm_zvm + /proc/sysinfo r, + + ##systemd/src/basic/confidential-virt.c:detect_confidential_virtualization + # defined(__x86_64__) + # detect_sev -> msr + /dev/cpu/0/msr r, + # detect_tdx has no accesses + # defined(__s390x__) + /sys/firmware/uv/prot_virt_guest r, + # defined(__aarch64__) + #/sys/devices/platform/arm-cca-dev r, # F_OK + + include if exists +}