abi <abi/4.0>,

include <tunables/global>

profile systemd-detect-virt /usr/bin/systemd-detect-virt {
  include <abstractions/base>
  
  /usr/bin/systemd-detect-virt mr,
  
  # Not using @{run}, etc. because all the paths below are hardcoded absolute prefixes
  # F_OK and access(2) not mediated but still note these in case we need to do something with them later

  ## systemd/src/basic/virt.c:detect_container
  #/proc/{vz,bc} r, # F_OK

  /proc/sys/kernel/osrelease r,
  # /proc/self/status -> /proc/@{TracerPid}/comm -> startswith("proot")
  /proc/@{pid}/status r,
  /proc/@{pids}/comm r,

  /run/host/container-manager r,

  /run/systemd/container r,
  # Check env vars of non-systemd init, which (according to source comment) needs CAP_SYS_PTRACE
  /proc/1/environ r,
  capability sys_ptrace,
  # peer=systemd itself but unfortunately we can't be more fine-grained than this
  ptrace read peer=unconfined,

  # systemd/src/basic/virt.c:detect_container_files
  #/run/.containerenv r, # F_OK
  #/.dockerenv r, # F_OK
  # systemd/src/basic/virt.c:running_in_pidns -> systemd/src/basic/namespace-util.c:namespace_is_init
  /proc/sys/kernel/cap_last_cap r,
  /proc/filesystems r,
  /proc/@{pid}/{g,u}id_map r,
  #/proc/ns/pid/ r, # stat
  # Unsure if /proc/ r, is needed for checking whether /proc/ is set up
  #/proc/@{pid}/ns/cgroup r, # F_OK
  #/sys/fs/cgroup/ r, # statfs
  #/sys/fs/cgroup/cgroup.events r, # F_OK
  
  ## systemd/src/basic/virt.c:detect_vm
  # detect_vm_dmi -> detect_vm_dmi_vendor
  # /sys/class/dmi/id is symlink to /sys/devices/virtual/dmi/id
  /sys/devices/virtual/dmi/id/{product_name,sys_vendor,board_vendor,bios_vendor,product_version} r,
  # detect_vm_dmi -> detect_vm_smbios
  /sys/firmware/dmi/entries/0-0/raw r,
  # detect_vm_uml
  /proc/cpuinfo r,
  # detect_vm_xen
  #/proc/xen r, # F_OK
  # detect_vm_xen -> detect_vm_xen_dom0
  /sys/hypervisor/properties/features r,
  /proc/xen/capabilities r,
  # detect_vm_cpuid uses the cpuid instruction and doesn't need rules
  # detect_vm_hypervisor
  /sys/hypervisor/type r,
  # detect_vm_device_tree
  /proc/device-tree/hypervisor/compatible r,
  #"/proc/device-tree/ibm,partition-name" r, # F_OK
  #"/proc/device-tree/hmc-managed?" r, # F_OK
  #"/proc/device-tree/chosen/qemu,graphic-width" r, #F_OK
  /proc/device-tree/ r, # FOREACH_DIRENT looking for /proc/device-tree/*fw-cfg*
  /proc/device-tree/compatible r,
  # detect_vm_zvm
  /proc/sysinfo r,

  ##systemd/src/basic/confidential-virt.c:detect_confidential_virtualization
  # defined(__x86_64__)
  # detect_sev -> msr
  /dev/cpu/0/msr r,
  # detect_tdx has no accesses
  # defined(__s390x__)
  /sys/firmware/uv/prot_virt_guest r,
  # defined(__aarch64__)
  #/sys/devices/platform/arm-cca-dev r, # F_OK
  
  include if exists <local/systemd-detect-virt>
}
