[PATCH] apparmor: Allow swtpm to use its own apparmor profile
Daniel P. Berrangé
berrange at redhat.com
Wed Apr 20 14:57:34 UTC 2022
From: Lena Voytek <lena.voytek at canonical.com>
Signed-off-by: Lena Voytek <lena.voytek at canonical.com>
---
src/security/apparmor/libvirt-qemu | 3 ++-
src/security/apparmor/usr.sbin.libvirtd.in | 1 +
2 files changed, 3 insertions(+), 1 deletion(-)
FYI this was merged via gitlab
diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
index 250ba4ea58..c29168da27 100644
--- a/src/security/apparmor/libvirt-qemu
+++ b/src/security/apparmor/libvirt-qemu
@@ -180,7 +180,7 @@
audit deny /{var/,}run/qemu/*/*.so w,
# swtpm
- /{usr/,}bin/swtpm rmix,
+ /{usr/,}bin/swtpm rmpix,
/usr/{lib,lib64}/libswtpm_libtpms.so mr,
/usr/lib/@{multiarch}/libswtpm_libtpms.so mr,
@@ -226,6 +226,7 @@
unix (send, receive) type=stream addr=none peer=(label=libvirtd),
unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),
unix (send, receive) type=stream addr=none peer=(label=virtqemud),
+ unix (send, receive) type=stream addr=none peer=(label=swtpm),
# for gathering information about available host resources
/sys/devices/system/cpu/ r,
diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in
index f2ab6ff2aa..886f1ad518 100644
--- a/src/security/apparmor/usr.sbin.libvirtd.in
+++ b/src/security/apparmor/usr.sbin.libvirtd.in
@@ -58,6 +58,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
ptrace (read,trace) peer=dnsmasq,
ptrace (read,trace) peer=/usr/sbin/dnsmasq,
ptrace (read,trace) peer=libvirt-*,
+ ptrace (read,trace) peer=swtpm,
signal (send) peer=dnsmasq,
signal (send) peer=/usr/sbin/dnsmasq,
--
2.35.1
More information about the libvir-list
mailing list