commit 141103378a74c68cbd775a306cdfd641119debbd
Author: intrigeri <intrigeri+libvirt@boum.org>
Date:   Sun Nov 5 15:29:57 2017 +0000

    AppArmor: add rules needed with additional mediation features brought by Linux 4.14.

Index: libvirt-3.9.0/examples/apparmor/libvirt-qemu
===================================================================
--- libvirt-3.9.0.orig/examples/apparmor/libvirt-qemu
+++ libvirt-3.9.0/examples/apparmor/libvirt-qemu
@@ -16,6 +16,10 @@
   network inet stream,
   network inet6 stream,
 
+  ptrace (readby, tracedby) peer=/usr/sbin/libvirtd,
+
+  signal (receive) peer=/usr/sbin/libvirtd,
+
   /dev/net/tun rw,
   /dev/kvm rw,
   /dev/ptmx rw,
Index: libvirt-3.9.0/examples/apparmor/usr.sbin.libvirtd
===================================================================
--- libvirt-3.9.0.orig/examples/apparmor/usr.sbin.libvirtd
+++ libvirt-3.9.0/examples/apparmor/usr.sbin.libvirtd
@@ -30,10 +30,13 @@
   # Needed for vfio
   capability sys_resource,
 
+  mount,
+
   network inet stream,
   network inet dgram,
   network inet6 stream,
   network inet6 dgram,
+  network netlink raw,
   network packet dgram,
   network packet raw,
 
@@ -42,6 +45,9 @@
   ptrace (trace) peer=/usr/sbin/dnsmasq,
   ptrace (trace) peer=libvirt-*,
 
+  signal (send) peer=/usr/sbin/dnsmasq,
+  signal (read, send) peer=libvirt-*,
+
   # Very lenient profile for libvirtd since we want to first focus on confining
   # the guests. Guests will have a very restricted profile.
   / r,