On 05/24/2018 04:26 PM, Stefan Berger wrote:
This patch extends the AppArmor domain profile with file paths
the swtpm accesses for state, log, pid, and socket files.
Both, QEMU and swtpm, use this AppArmor profile.
Signed-off-by: Stefan Berger <stefanb(a)linux.vnet.ibm.com>
Cc: Christian Ehrhardt <christian.ehrhardt(a)canonical.com>
---
examples/apparmor/libvirt-qemu | 3 +++
src/security/virt-aa-helper.c | 24 ++++++++++++++++++++++++
2 files changed, 27 insertions(+)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index 2c47652250..854729d0ae 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -158,6 +158,9 @@
/usr/{lib,lib64}/qemu/*.so mr,
/usr/lib/(a){multiarch}/qemu/*.so mr,
+ # swtpm
+ /usr/bin/swtpm rmix,
+
# for save and resume
/{usr/,}bin/dash rmix,
/{usr/,}bin/dd rmix,
I cannot get the existing AppArmor profiles in examples/apparmor to
work. So this is an addition that I would anticipate that it is
necessary. Whether this plus the extensions to virt-aa-helper.c below
are sufficient is not clear.
diff --git a/src/security/virt-aa-helper.c
b/src/security/virt-aa-helper.c
index d0f9876da5..6ee436e66c 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -1185,6 +1185,30 @@ get_files(vahControl * ctl)
}
}
+ if (ctl->def->tpm) {
+ char *shortName = virDomainDefGetShortName(ctl->def);
+ switch (ctl->def->tpm->type) {
+ case VIR_DOMAIN_TPM_TYPE_EMULATOR:
+ virBufferAsprintf(&buf,
+ " \"%s/run/libvirt/qemu/swtpm/%s-swtpm.sock\"
x,\n",
+ LOCALSTATEDIR, shortName);
+ /* paths for swtpm to use */
+ virBufferAsprintf(&buf,
+ " \"%s/lib/libvirt/swtpm/%s,tpm2/**\" rw,\n",
+ LOCALSTATEDIR, uuidstr);
+ virBufferAsprintf(&buf,
+ " \"%s/log/swtpm/libvirt/qemu/%s-swtpm.log\"
rw,\n",
+ LOCALSTATEDIR, shortName);
+ virBufferAsprintf(&buf,
+ " \"%s/run/libvirt/qemu/swtpm/%s-swtpm.pid\"
rw,\n",
+ LOCALSTATEDIR, shortName);
+ break;
+ case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
+ case VIR_DOMAIN_TPM_TYPE_LAST:
+ break;
+ }
+ }
+
if (ctl->def->virtType == VIR_DOMAIN_VIRT_KVM) {
for (i = 0; i < ctl->def->nnets; i++) {
virDomainNetDefPtr net = ctl->def->nets[i];