[libvirt] [PATCH v8 13/18] security: Add swtpm paths to the domain's AppArmor profile
Stefan Berger
stefanb at linux.vnet.ibm.com
Thu May 24 20:29:58 UTC 2018
On 05/24/2018 04:26 PM, Stefan Berger wrote:
> This patch extends the AppArmor domain profile with file paths
> the swtpm accesses for state, log, pid, and socket files.
>
> Both, QEMU and swtpm, use this AppArmor profile.
>
> Signed-off-by: Stefan Berger <stefanb at linux.vnet.ibm.com>
> Cc: Christian Ehrhardt <christian.ehrhardt at canonical.com>
> ---
> examples/apparmor/libvirt-qemu | 3 +++
> src/security/virt-aa-helper.c | 24 ++++++++++++++++++++++++
> 2 files changed, 27 insertions(+)
>
> diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
> index 2c47652250..854729d0ae 100644
> --- a/examples/apparmor/libvirt-qemu
> +++ b/examples/apparmor/libvirt-qemu
> @@ -158,6 +158,9 @@
> /usr/{lib,lib64}/qemu/*.so mr,
> /usr/lib/@{multiarch}/qemu/*.so mr,
>
> + # swtpm
> + /usr/bin/swtpm rmix,
> +
> # for save and resume
> /{usr/,}bin/dash rmix,
> /{usr/,}bin/dd rmix,
I cannot get the existing AppArmor profiles in examples/apparmor to
work. So this is an addition that I would anticipate that it is
necessary. Whether this plus the extensions to virt-aa-helper.c below
are sufficient is not clear.
> diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
> index d0f9876da5..6ee436e66c 100644
> --- a/src/security/virt-aa-helper.c
> +++ b/src/security/virt-aa-helper.c
> @@ -1185,6 +1185,30 @@ get_files(vahControl * ctl)
> }
> }
>
> + if (ctl->def->tpm) {
> + char *shortName = virDomainDefGetShortName(ctl->def);
> + switch (ctl->def->tpm->type) {
> + case VIR_DOMAIN_TPM_TYPE_EMULATOR:
> + virBufferAsprintf(&buf,
> + " \"%s/run/libvirt/qemu/swtpm/%s-swtpm.sock\" x,\n",
> + LOCALSTATEDIR, shortName);
> + /* paths for swtpm to use */
> + virBufferAsprintf(&buf,
> + " \"%s/lib/libvirt/swtpm/%s,tpm2/**\" rw,\n",
> + LOCALSTATEDIR, uuidstr);
> + virBufferAsprintf(&buf,
> + " \"%s/log/swtpm/libvirt/qemu/%s-swtpm.log\" rw,\n",
> + LOCALSTATEDIR, shortName);
> + virBufferAsprintf(&buf,
> + " \"%s/run/libvirt/qemu/swtpm/%s-swtpm.pid\" rw,\n",
> + LOCALSTATEDIR, shortName);
> + break;
> + case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
> + case VIR_DOMAIN_TPM_TYPE_LAST:
> + break;
> + }
> + }
> +
> if (ctl->def->virtType == VIR_DOMAIN_VIRT_KVM) {
> for (i = 0; i < ctl->def->nnets; i++) {
> virDomainNetDefPtr net = ctl->def->nets[i];
More information about the libvir-list
mailing list