I'm looking to activate Apparmor for the Proxmox VMs, in order to add an additional level of security, especially the processes are running as root.
Currently, this is what I've came up with:
[Last update: 27.05.2025]
I've been running this version for the past days and so far, everything seems to be working fine, with no alerts in dmesg for denied actions.
I'm looking for feedback on the above. Anything else we should be adding? Any things we should be removing? Any other suggestions?
I am hoping that once we reach the final version, the Proxmox team will implement it officially.
We could implement it like libvirt does it, with separate profiles per VM, so we can isolate the virtual disks and file access.
Currently, this is what I've came up with:
Code:
#include <tunables/global>
profile /usr/bin/qemu-system-x86_64 flags=(attach_disconnected, mediate_deleted) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice>
include <abstractions/user-tmp>
include <abstractions/openssl>
/etc/pve/nodes/*/pve-ssl.pem r,
/etc/pve/nodes/*/pve-ssl.key r,
/etc/pve/pve-root-ca.pem r,
/usr/bin/qemu-system-x86_64 rix,
/usr/libexec/qemu-server/pve-bridge rix,
/usr/libexec/qemu-server/pve-bridgedown rix,
/usr/libexec/qemu-server/pve-bridge-hotplug rix,
/usr/bin/perl ix,
/bin/bash ix,
/usr/bin/ip rix,
/usr/sbin/ip rix,
/sbin/ip rix,
/usr/sbin/brctl ix,
/sbin/brctl ix,
/usr/bin/dash rix,
/usr/sbin/tc rix,
capability chown,
capability dac_override,
capability fowner,
capability ipc_lock,
capability kill,
capability net_admin,
capability setgid,
capability setuid,
capability sys_resource,
network inet stream,
network inet dgram,
network inet6 stream,
network inet6 dgram,
network unix stream,
network unix dgram,
deny capability sys_admin,
deny capability sys_ptrace,
deny capability sys_module,
deny capability sys_rawio,
deny capability mknod,
/dev/kvm rw,
/dev/net/tun rw,
/dev/vhost-net rw,
/dev/ptmx rw,
/dev/pts/[0-9]* rw,
/dev/tty rw,
/dev/null rw,
/dev/zero rw,
/dev/urandom r,
/dev/random r,
/dev/zvol/zfs/** rwk,
/dev/zd* rwk,
/sys/devices/system/node/ r,
/sys/devices/system/node/** r,
/sys/devices/virtual/block/*/queue/** r,
/sys/devices/virtual/net/** r,
/sys/devices/virtual/net/*/bridge/** rw,
/sys/class/net/** r,
/proc/sys/vm/max_map_count r,
/proc/sys/net/ipv6/conf/*/disable_ipv6 rw,
/proc/*/net/dev r,
/proc/*/task/*/comm wr,
/proc/*/cmdline r,
/proc/*/status r,
/proc/*/task/**/status r,
/etc/qemu/** r,
/usr/share/qemu/** r,
/usr/share/qemu-server/** r,
/usr/share/kvm/** r,
/etc/network/interfaces r,
/etc/ld.so.cache r,
/usr/lib/x86_64-linux-gnu/libgnutls.so.* r,
/usr/share/perl/** r,
/usr/share/perl5/** r,
/usr/lib/perl/** r,
/usr/lib/x86_64-linux-gnu/perl/** r,
/usr/share/perl5/PVE/** r,
/var/run/qemu-server/** rwk,
@{run}/** rwk,
/dev/shm/** rw,
/tmp/** rw,
/var/lib/vz/images/** rwl,
/backup/** rwl,
/dev/sg* rw,
/sys/kernel/security/apparmor/** r,
}I've been running this version for the past days and so far, everything seems to be working fine, with no alerts in dmesg for denied actions.
I'm looking for feedback on the above. Anything else we should be adding? Any things we should be removing? Any other suggestions?
I am hoping that once we reach the final version, the Proxmox team will implement it officially.
We could implement it like libvirt does it, with separate profiles per VM, so we can isolate the virtual disks and file access.
Last edited:
