From nobody Mon Feb  9 06:27:10 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 205.139.110.61 as permitted sender) client-ip=205.139.110.61;
 envelope-from=libvir-list-bounces@redhat.com;
 helo=us-smtp-delivery-1.mimecast.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.61 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-delivery-1.mimecast.com (us-smtp-1.mimecast.com
 [205.139.110.61]) by mx.zohomail.com
	with SMTPS id 1580367928941363.5925813518255;
 Wed, 29 Jan 2020 23:05:28 -0800 (PST)
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-150-ObxmfIXoNFmXdZYaeyKMMg-1; Thu, 30 Jan 2020 02:05:25 -0500
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com
 [10.5.11.14])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 6190113F3;
	Thu, 30 Jan 2020 07:05:19 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 2AAB55DA81;
	Thu, 30 Jan 2020 07:05:19 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id C08B087A85;
	Thu, 30 Jan 2020 07:05:18 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com
	[10.5.11.23])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id 00U74cI0004862 for <libvir-list@listman.util.phx.redhat.com>;
	Thu, 30 Jan 2020 02:04:38 -0500
Received: by smtp.corp.redhat.com (Postfix)
	id 9ACC8CFC1; Thu, 30 Jan 2020 07:04:38 +0000 (UTC)
Received: from moe.redhat.com (unknown [10.43.2.30])
	by smtp.corp.redhat.com (Postfix) with ESMTP id CD29519756;
	Thu, 30 Jan 2020 07:04:37 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1580367927;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=I7aqSeSozAkG42JRPmPktY5hcmzL2DsLxLJUW2rTTg8=;
	b=JsVpj5sTWi2HbMUGm43NVxpxz36blgHBbKu7AS/FRQTsvdiSU/QFsc4GqI60C2sscDuSZV
	Z1GFiQq8orT6veKcCl7MpVrxm83dzp2IjNqOnc4DV2friO+Qqpvq4GRdwI+0gF1yqtR8E9
	EaWTP14fTDKfj7yGz+HL0PGboo5qaRI=
From: Michal Privoznik <mprivozn@redhat.com>
To: libvir-list@redhat.com
Subject: [PATCH v2 5/7] apparmor: Sort paths in blocks in libvirt-qemu profile
Date: Thu, 30 Jan 2020 08:04:25 +0100
Message-Id: 
 <40813653d0b86fd1f8ccb29373411b062676776a.1580367726.git.mprivozn@redhat.com>
In-Reply-To: <cover.1580367726.git.mprivozn@redhat.com>
References: <cover.1580367726.git.mprivozn@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23
X-loop: libvir-list@redhat.com
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14
X-MC-Unique: ObxmfIXoNFmXdZYaeyKMMg-1
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @redhat.com)
Content-Type: text/plain; charset="utf-8"

Even though we construct a domain specific profile for each
domain we start (which should cover domain specific paths), there
is also another file that is included from the profile and which
contains domain agnostic paths (e.g. to cover libraries that qemu
links with). The paths in the file are split into blocks divided
by comments. Sort the paths in each block individually (ignoring
case sensitivity).

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Acked-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
---
 src/security/apparmor/libvirt-qemu | 76 +++++++++++++++---------------
 1 file changed, 38 insertions(+), 38 deletions(-)

diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/lib=
virt-qemu
index d33348aa05..2291829270 100644
--- a/src/security/apparmor/libvirt-qemu
+++ b/src/security/apparmor/libvirt-qemu
@@ -22,8 +22,8 @@
   signal (receive) peer=3Dlibvirtd,
   signal (receive) peer=3D/usr/sbin/libvirtd,
=20
-  /dev/net/tun rw,
   /dev/kvm rw,
+  /dev/net/tun rw,
   /dev/ptmx rw,
   @{PROC}/*/status r,
   # When qemu is signaled to terminate, it will read cmdline of signaling
@@ -39,19 +39,19 @@
   /sys/bus/usb/devices/ r,
   /sys/devices/**/usb[0-9]*/** r,
   # libusb needs udev data about usb devices (~equal to content of lsusb -=
v)
+  /run/udev/data/+usb* r,
   /run/udev/data/c16[6,7]* r,
   /run/udev/data/c18[0,8,9]* r,
-  /run/udev/data/+usb* r,
=20
   # WARNING: this gives the guest direct access to host hardware and speci=
fic
   # portions of shared memory. This is required for sound using ALSA with =
kvm,
   # but may constitute a security risk. If your environment does not requi=
re
   # the use of sound in your VMs, feel free to comment out or prepend 'den=
y' to
   # the rules for files in /dev.
+  /dev/snd/* rw,
   /{dev,run}/shm r,
   /{dev,run}/shmpulse-shm* r,
   /{dev,run}/shmpulse-shm* rwk,
-  /dev/snd/* rw,
   capability ipc_lock,
   # spice
   owner /{dev,run}/shm/spice.* rw,
@@ -73,21 +73,21 @@
   /var/lib/dbus/machine-id r,
=20
   # access to firmware's etc
-  /usr/share/kvm/** r,
-  /usr/share/qemu/** r,
-  /usr/share/qemu-kvm/** r,
+  /usr/share/AAVMF/** r,
   /usr/share/bochs/** r,
+  /usr/share/kvm/** r,
+  /usr/share/misc/sgabios.bin r,
   /usr/share/openbios/** r,
   /usr/share/openhackware/** r,
-  /usr/share/proll/** r,
-  /usr/share/vgabios/** r,
-  /usr/share/seabios/** r,
-  /usr/share/misc/sgabios.bin r,
-  /usr/share/ovmf/** r,
   /usr/share/OVMF/** r,
-  /usr/share/AAVMF/** r,
+  /usr/share/ovmf/** r,
+  /usr/share/proll/** r,
   /usr/share/qemu-efi/** r,
+  /usr/share/qemu-kvm/** r,
+  /usr/share/qemu/** r,
+  /usr/share/seabios/** r,
   /usr/share/slof/** r,
+  /usr/share/vgabios/** r,
=20
   # pki for libvirt-vnc and libvirt-spice (LP: #901272, #1690140)
   /etc/pki/CA/ r,
@@ -98,7 +98,33 @@
   # the various binaries
   /usr/bin/kvm rmix,
   /usr/bin/qemu rmix,
+  /usr/bin/qemu-aarch64 rmix,
+  /usr/bin/qemu-alpha rmix,
+  /usr/bin/qemu-arm rmix,
+  /usr/bin/qemu-armeb rmix,
+  /usr/bin/qemu-cris rmix,
+  /usr/bin/qemu-i386 rmix,
   /usr/bin/qemu-kvm rmix,
+  /usr/bin/qemu-m68k rmix,
+  /usr/bin/qemu-microblaze rmix,
+  /usr/bin/qemu-microblazeel rmix,
+  /usr/bin/qemu-mips rmix,
+  /usr/bin/qemu-mips64 rmix,
+  /usr/bin/qemu-mips64el rmix,
+  /usr/bin/qemu-mipsel rmix,
+  /usr/bin/qemu-mipsn32 rmix,
+  /usr/bin/qemu-mipsn32el rmix,
+  /usr/bin/qemu-or32 rmix,
+  /usr/bin/qemu-ppc rmix,
+  /usr/bin/qemu-ppc64 rmix,
+  /usr/bin/qemu-ppc64abi32 rmix,
+  /usr/bin/qemu-ppc64le rmix,
+  /usr/bin/qemu-s390x rmix,
+  /usr/bin/qemu-sh4 rmix,
+  /usr/bin/qemu-sh4eb rmix,
+  /usr/bin/qemu-sparc rmix,
+  /usr/bin/qemu-sparc32plus rmix,
+  /usr/bin/qemu-sparc64 rmix,
   /usr/bin/qemu-system-aarch64 rmix,
   /usr/bin/qemu-system-alpha rmix,
   /usr/bin/qemu-system-arm rmix,
@@ -132,32 +158,6 @@
   /usr/bin/qemu-system-x86_64 rmix,
   /usr/bin/qemu-system-xtensa rmix,
   /usr/bin/qemu-system-xtensaeb rmix,
-  /usr/bin/qemu-aarch64 rmix,
-  /usr/bin/qemu-alpha rmix,
-  /usr/bin/qemu-arm rmix,
-  /usr/bin/qemu-armeb rmix,
-  /usr/bin/qemu-cris rmix,
-  /usr/bin/qemu-i386 rmix,
-  /usr/bin/qemu-m68k rmix,
-  /usr/bin/qemu-microblaze rmix,
-  /usr/bin/qemu-microblazeel rmix,
-  /usr/bin/qemu-mips rmix,
-  /usr/bin/qemu-mips64 rmix,
-  /usr/bin/qemu-mips64el rmix,
-  /usr/bin/qemu-mipsel rmix,
-  /usr/bin/qemu-mipsn32 rmix,
-  /usr/bin/qemu-mipsn32el rmix,
-  /usr/bin/qemu-or32 rmix,
-  /usr/bin/qemu-ppc rmix,
-  /usr/bin/qemu-ppc64 rmix,
-  /usr/bin/qemu-ppc64abi32 rmix,
-  /usr/bin/qemu-ppc64le rmix,
-  /usr/bin/qemu-s390x rmix,
-  /usr/bin/qemu-sh4 rmix,
-  /usr/bin/qemu-sh4eb rmix,
-  /usr/bin/qemu-sparc rmix,
-  /usr/bin/qemu-sparc32plus rmix,
-  /usr/bin/qemu-sparc64 rmix,
   /usr/bin/qemu-unicore32 rmix,
   /usr/bin/qemu-x86_64 rmix,
   # for Debian/Ubuntu qemu-block-extra / RPMs qemu-block-* (LP: #1554761)
--=20
2.24.1