[libvirt] [PATCH v9 13/17] security: Add swtpm paths to the domain's AppArmor profile

Thu Jun 7 17:16:48 UTC 2018

On 06/04/2018 11:46 AM, Stefan Berger wrote:
> This patch extends the AppArmor domain profile with file paths
> the swtpm accesses for state, log, pid, and socket files.
>
> Both, QEMU and swtpm, use this AppArmor profile.
>
> Signed-off-by: Stefan Berger <stefanb at linux.vnet.ibm.com>
> Cc: Christian Ehrhardt <christian.ehrhardt at canonical.com>

After the recent changes I had made to it, I didn't think it was 
appropriate to take the Reviewed-by. Can someone have a (quick) look?

    Stefan

> ---
>   examples/apparmor/libvirt-qemu |  3 +++
>   src/security/virt-aa-helper.c  | 45 ++++++++++++++++++++++++++++++++++++++++++
>   2 files changed, 48 insertions(+)
>
> diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
> index 2c47652250..854729d0ae 100644
> --- a/examples/apparmor/libvirt-qemu
> +++ b/examples/apparmor/libvirt-qemu
> @@ -158,6 +158,9 @@
>     /usr/{lib,lib64}/qemu/*.so mr,
>     /usr/lib/@{multiarch}/qemu/*.so mr,
>
> +  # swtpm
> +  /usr/bin/swtpm rmix,
> +
>     # for save and resume
>     /{usr/,}bin/dash rmix,
>     /{usr/,}bin/dd rmix,
> diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
> index d0f9876da5..7a6fb31e9a 100644
> --- a/src/security/virt-aa-helper.c
> +++ b/src/security/virt-aa-helper.c
> @@ -1185,6 +1185,51 @@ get_files(vahControl * ctl)
>           }
>       }
>
> +    if (ctl->def->tpm) {
> +        char *shortName = NULL;
> +        const char *tpmpath = NULL;
> +
> +        switch (ctl->def->tpm->type) {
> +        case VIR_DOMAIN_TPM_TYPE_EMULATOR:
> +            shortName = virDomainDefGetShortName(ctl->def);
> +
> +            switch (ctl->def->tpm->version) {
> +            case VIR_DOMAIN_TPM_VERSION_1_2:
> +                tpmpath = "tpm1.2";
> +                break;
> +            case VIR_DOMAIN_TPM_VERSION_2_0:
> +                tpmpath = "tpm2";
> +                break;
> +            case VIR_DOMAIN_TPM_VERSION_DEFAULT:
> +            case VIR_DOMAIN_TPM_VERSION_LAST:
> +                break;
> +            }
> +
> +            /* Unix socket for QEMU and swtpm to use */
> +            virBufferAsprintf(&buf,
> +                "  \"/run/libvirt/qemu/swtpm/%s-swtpm.sock\" rw,\n",
> +                shortName);
> +            /* Paths for swtpm to use: give it access to its state
> +             * directory, log, and PID files.
> +             */
> +            virBufferAsprintf(&buf,
> +                "  \"%s/lib/libvirt/swtpm/%s/%s/**\" rw,\n",
> +                LOCALSTATEDIR, uuidstr, tpmpath);
> +            virBufferAsprintf(&buf,
> +                "  \"%s/log/swtpm/libvirt/qemu/%s-swtpm.log\" a,\n",
> +                LOCALSTATEDIR, ctl->def->name);
> +            virBufferAsprintf(&buf,
> +                "  \"/run/libvirt/qemu/swtpm/%s-swtpm.pid\" rw,\n",
> +                shortName);
> +
> +            VIR_FREE(shortName);
> +            break;
> +        case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
> +        case VIR_DOMAIN_TPM_TYPE_LAST:
> +            break;
> +        }
> +    }
> +
>       if (ctl->def->virtType == VIR_DOMAIN_VIRT_KVM) {
>           for (i = 0; i < ctl->def->nnets; i++) {
>               virDomainNetDefPtr net = ctl->def->nets[i];