[PATCH] apparmor: Allow swtpm to use its own apparmor profile
Jim Fehlig
jfehlig at suse.com
Thu Apr 21 14:58:57 UTC 2022
On 4/20/22 03:40, Christian Ehrhardt wrote:
> On Tue, Apr 19, 2022 at 7:28 PM Lena Voytek <lena.voytek at canonical.com> wrote:
>
> Hi Lena,
> the code is fine - I can confirm that this works well in Ubuntu 22.04 already.
>
> But we should add a non-empty commit message here.
> Just outline that this is needed when swtpm itself runs under a
> profile called "swtpm".
> And maybe reference the upstreaming of that profile into the swtpm project.
>
> P.S. also adding Jim to CC as he looks at apparmor from Suses POV sometimes.
I see this patch has already been pushed. Regardless, it LGTM.
Regards,
Jim
>
>> Signed-off-by: Lena Voytek <lena.voytek at canonical.com>
>> ---
>> src/security/apparmor/libvirt-qemu | 3 ++-
>> src/security/apparmor/usr.sbin.libvirtd.in | 1 +
>> 2 files changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
>> index 250ba4ea58..c29168da27 100644
>> --- a/src/security/apparmor/libvirt-qemu
>> +++ b/src/security/apparmor/libvirt-qemu
>> @@ -180,7 +180,7 @@
>> audit deny /{var/,}run/qemu/*/*.so w,
>>
>> # swtpm
>> - /{usr/,}bin/swtpm rmix,
>> + /{usr/,}bin/swtpm rmpix,
>> /usr/{lib,lib64}/libswtpm_libtpms.so mr,
>> /usr/lib/@{multiarch}/libswtpm_libtpms.so mr,
>>
>> @@ -226,6 +226,7 @@
>> unix (send, receive) type=stream addr=none peer=(label=libvirtd),
>> unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),
>> unix (send, receive) type=stream addr=none peer=(label=virtqemud),
>> + unix (send, receive) type=stream addr=none peer=(label=swtpm),
>>
>> # for gathering information about available host resources
>> /sys/devices/system/cpu/ r,
>> diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in
>> index f2ab6ff2aa..886f1ad518 100644
>> --- a/src/security/apparmor/usr.sbin.libvirtd.in
>> +++ b/src/security/apparmor/usr.sbin.libvirtd.in
>> @@ -58,6 +58,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
>> ptrace (read,trace) peer=dnsmasq,
>> ptrace (read,trace) peer=/usr/sbin/dnsmasq,
>> ptrace (read,trace) peer=libvirt-*,
>> + ptrace (read,trace) peer=swtpm,
>>
>> signal (send) peer=dnsmasq,
>> signal (send) peer=/usr/sbin/dnsmasq,
>> --
>> 2.25.1
>>
>
>
More information about the libvir-list
mailing list