[libvirt] [PATCH v8 13/18] security: Add swtpm paths to the domain's AppArmor profile
Stefan Berger
stefanb at linux.vnet.ibm.com
Thu May 24 20:26:09 UTC 2018
This patch extends the AppArmor domain profile with file paths
the swtpm accesses for state, log, pid, and socket files.
Both, QEMU and swtpm, use this AppArmor profile.
Signed-off-by: Stefan Berger <stefanb at linux.vnet.ibm.com>
Cc: Christian Ehrhardt <christian.ehrhardt at canonical.com>
---
examples/apparmor/libvirt-qemu | 3 +++
src/security/virt-aa-helper.c | 24 ++++++++++++++++++++++++
2 files changed, 27 insertions(+)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index 2c47652250..854729d0ae 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -158,6 +158,9 @@
/usr/{lib,lib64}/qemu/*.so mr,
/usr/lib/@{multiarch}/qemu/*.so mr,
+ # swtpm
+ /usr/bin/swtpm rmix,
+
# for save and resume
/{usr/,}bin/dash rmix,
/{usr/,}bin/dd rmix,
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index d0f9876da5..6ee436e66c 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -1185,6 +1185,30 @@ get_files(vahControl * ctl)
}
}
+ if (ctl->def->tpm) {
+ char *shortName = virDomainDefGetShortName(ctl->def);
+ switch (ctl->def->tpm->type) {
+ case VIR_DOMAIN_TPM_TYPE_EMULATOR:
+ virBufferAsprintf(&buf,
+ " \"%s/run/libvirt/qemu/swtpm/%s-swtpm.sock\" x,\n",
+ LOCALSTATEDIR, shortName);
+ /* paths for swtpm to use */
+ virBufferAsprintf(&buf,
+ " \"%s/lib/libvirt/swtpm/%s,tpm2/**\" rw,\n",
+ LOCALSTATEDIR, uuidstr);
+ virBufferAsprintf(&buf,
+ " \"%s/log/swtpm/libvirt/qemu/%s-swtpm.log\" rw,\n",
+ LOCALSTATEDIR, shortName);
+ virBufferAsprintf(&buf,
+ " \"%s/run/libvirt/qemu/swtpm/%s-swtpm.pid\" rw,\n",
+ LOCALSTATEDIR, shortName);
+ break;
+ case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
+ case VIR_DOMAIN_TPM_TYPE_LAST:
+ break;
+ }
+ }
+
if (ctl->def->virtType == VIR_DOMAIN_VIRT_KVM) {
for (i = 0; i < ctl->def->nnets; i++) {
virDomainNetDefPtr net = ctl->def->nets[i];
--
2.14.3
More information about the libvir-list
mailing list